beautypg.com

Microsoft ad fs configuration, 0 microsoft ad, Fs configuration – HID Microsoft ADFS and ActivID AS using SAML User Manual

Page 5

background image

ActivID Appliance 7.2 and AD FS | integration Handbook | ADFS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 5

3.0

Microsoft AD

FS Configuration

This chapter describes how to manage Microsoft AD FS.

When an application is in one network and user accounts are in another network (managed by an ActivID
Appliance), it is typical for users to encounter prompts for secondary credentials when they attempt to access the
application. These secondary credentials represent the identity of the users in the realm where the application
resides. The web server that hosts the application usually requires these credentials so that it can make the most
appropriate authorization decision.

AD FS makes secondary accounts and their credentials unnecessary by providing trust relationships that you can
use to project a user's digital identity and access rights to trusted partners (stored in the ActivID Appliance or
linked to the ActivID Appliance). In a federated environment, each organization continues to manage its own
identities, but each organization can also securely project and accept identities from other organizations.

When a user signs into a web application linked in AD FS, the user specifies a URL, which is associated with a
specific identity partner (realm). The web application and AD FS forwards the user to the IDP ActivID Appliance
authentication server to verify the user’s identity before providing a web SSO.

3.1

Procedure 1: Exporting ActivID Appliance IDP Metadata

To configure the ActivID Appliance as an IDP, you must provide the metadata information to the Service Provider
(AD FS). The first procedure is to create a trust between the SP (AD FS) and the IDP (ActivID Appliance), that is
the Metadata exchange.

The ActivID Appliance IDP metadata is not stored as it is in the appliance database, but instead is generated
when there is a request for an export through the ActivID Appliance Management Console. This request is based
on the following data:

• ActivID Appliance IDP hostname

• ActivID Appliance IDP port number—This is an optional attribute.

• ActivID Appliance Security Domain—The Security Domain name is part of the URIs defined in the metadata.

• Flag indicating if the ActivID Appliance IDP accepts only signed requests—This is an optional attribute that

indicates a requirement for the messages received by this IDP to be signed. If
omitted, then the value is assumed to be false.

• Alias of the ActivID Appliance IDP certificates (signing and encryption) stored in the Hardware Security

Module (HSM) keystore.

See also other documents in the category HID Equipment: