Configuring ADFS 2 as an Identity Provider

The EmpowerID SSO framework allows you to configure Identity Provider (IdP) SSO connections for third-party identity providers that support the use of WS-Federation for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any WS-Federation application in which you establish a trust relationship.

This topic demonstrates how to configure an SSO connection for WS-Federation Identity Provider applications by creating an SSO connection for AD FS 2 and is divided into the following activities:

Prerequisites - As a prerequisite to creating an SSO Connection for AD FS 2.0, you must install the AD FS role service on your EmpowerID server. For information on installing the AD FS role service, see Microsoft's topic at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-the-ad-fs-role-service.

Once the SSO Connection has been set up for AD FS, you can create a link similar to the one below to allow users to login to EmpowerID using AD FS.
https://sso.empowersso.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/ADFS?returnUrl=%2FEmpowerIDWebIdPForms%2F
Be sure to replace "sso.empowersso.com" with the FQDN of the EmpowerID Web server in your environment and ADFS with the name of the SSO connection you create for AD FS in EmpowerID.

To register EmpowerID as a Relying Party application in AD FS 2

  1. On the server with the ADFS installation, open the AD FS 2 management console.
  2. From the AD FS 2 management console, expand the Trust Relationships node, right-click Relying Party Trusts and select Add Relying Party Trust from the context menu.
  3. In the Relying Party Trust Wizard that appears click Start and then do the following:
    1. From the Select Data Source screen, select Enter data about the relying party manually and then click Next.
    2. From the Specify Display Name screen, type an appropriate display name for EmpowerID in the Display Name field and then click Next.
    3. From the Choose Profile screen, select AD FS 2.0 profile and then click Next.
    4. From the Configure Certificate screen, browse to and select the public key for the certificate you are using in your EmpowerID deployment and then click Next. AD FS will use this certificate to encrypt claims sent to EmpowerID.
    5. From the Configure URL screen, select Enable support for the WS-Federation Passive protocol, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/ACS, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and click Next.
    6. From the Configure Identifiers screen, type https://sso.empowerid.com in the Relying party trust identifier field, replacing "sso.empowerid.com " with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and then click Add. You should see two entries, similar to those depicted below, in the Relying party trust identifiers pane.
    7. Click Next and in the Choose Issuance Authorization Rules screen, ensure that Permit all users to access this relying party is selected and then click Next.
    8. From the Ready to Add Trust screen, review your settings and then Next to add the trust for EmpowerID.
    9. Ensure that Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is selected and then click Close.
  4. In the Edit Claim Rules for <the name you just gave the relying party application> dialog that appears, click Add rule.
  5. This opens the Add Transform Claim Rule Wizard. The wizard allows us to specify which AD attributes should be sent to EmpowerID as identity claims. We want to send the UPN and the Name attributes.

  6. From the Add Transform Claim Rule Wizard, select Send LDAP Attributes as Claims from the Claim rule template drop-down and then click Next.
  7. Type a name, such as Default_Claims, in the Claim rule name field and select Active Directory from the Attribute store drop-down.
  8. Underneath Mapping of LDAP attributes to outgoing claim types, do the following:
    1. Select User_Principal_Name from the LDAP Attribute drop-down and UPN from the Outgoing Claim Type drop-down.
    2. Select SAM-Account-Name from the LDAP Attribute drop-down and Name from the Outgoing Claim Type drop-down and then click Finish to close the wizard.
  9. Back in the Edit Claim Rules dialog, click Apply.
  10. Click OK to close the Edit Claim Rules dialog.
  11. Next, add the Service communications, token-signing and token-decrypting certificates on the ADFS server to the Personal and Trusted People certificate stores on the EmpowerID web server in your environment.

To add the certificates to the certificates stores

  1. From the certificates node of the ADFS 2.0 management console, right-click the Service communications certificate and select View Certificate from the context menu.
  2. In the Certificate window that appears, click the Details tab and then click Copy to File.
  3. In the Certificate Export Wizard that appears, click Next.
  4. Select No, do not export the private key and then click Next.
  5. Select Base-64 encoded X.509 (.Cer) and click Next.
  6. Browse for an export location and click Next.
  7. Click Next and follow the wizard through to complete the export of the certificate.
  8. Repeat the above steps for the token-decrypting and token-signing certificates (you will not be presented with an option to export the private key for these certificates).
  9. Next, open MMC and add the Certificates snap-in for the local computer if needed.
  10. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
  11. In the Certificate Import Wizard that appears, click Next.
  12. Click Browse and locate your certificates.
  13. In the Open window that appears, select one of your certificates and click Open.
  14. Continue through the Certificate Import Wizard, until completed.
  15. Repeat for each of your certificates until each of them is in both the Personal and Trusted People certificate stores.

To create a WS-Federation Connection for ADFS in EmpowerID

  1. From the Navigation Sidebar, navigate to the the find protected application resource page by expanding Application and clicking Manage Applications.
  2. From the Actions pane of Application Manager, click the Create WS-Federation Connection action link.
  3. From the General tab of the Connection Details form, select Identity Provider as the Connection Type.
  4. In the Connection Details section of the form do the following:
    1. Type an appropriate name, display name and description for the connection in the Name, Display Name and Description fields, respectively.
    2. In the Tile Image URL field, type ~/Resources/Content/Images/Logos/ADFS2Logo.png. This tells EmpowerID the relative location of the logo that is to be placed on the ADFS 2 login tile for any domains associated with the connection.
    3. In the Initiating URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/SignIn, replacing sso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
    4. In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for ADFS. This value should be similar to fs.tdnfdemo.com/adfs/ls/ where "fs.tdnfdemo.com" is the FQDN or resolvable DNS of the ADFS server with which you are federating.
    5. In the Realm field, type base URL for your EmpowerID Web server, such as "https://sso.empowerid.com", where "sso.empowerid.com" is the FQDN or resolvable DNS of your EmpowerID server.
    6. In the Map To Account Claim Type field, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by ADFS.
    7. When you have completed the above, the General section of the form should look similar to the following image:

  5. In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
  6. Click the Domains tab. From this tab, you can select the domains in which you want a login tile for ADFS to appear to users as a login option for accessing your EmpowerID site.
  7. From the Domains tab, click the Add (+) button in the Assigned Domains section.
  8. In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
  9. Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.
  10. Now that you created the SSO connection for ADFS, you can test the connection as demonstrated below.

To test the ADFS IDP connection

  1. Launch your web browser, pointing it to the domain name you configured for the ADFS IdP connection.
  2. Underneath Login using one of your other accounts, click the ADFS button.
  3. This redirects your browser to the ADFS login page and presents you with an Authentication Required dialog. Type your Windows credentials in the Authentication Required dialog and click OK.
  4. EmpowerID verifies the claims and grants you access.