Configuring Active Directory Federation Services Using WS-Federation¶
Vinyl can integrate with Active Directory Federation Services (AD FS) using the WS-Federation Passive protocol. The WS-Federation Passive protocol defines the following operational roles:
Actor | Role |
---|---|
Vinyl | Relying party |
AD FS | Identity Provider (IdP) / Security Token Service (STS) |
User | Passive requestor |
Configuration involves the following procedures:
- Create a Vinyl Security Provider for AD FS
- Create an AD FS Relying Party Trust for Vinyl
Requirements¶
In order to proceed, you will need the following:
- Administrator access to AD FS.
- Administrator access to Vinyl.
- Vinyl will need to connect to AD FS via HTTPS to retrieve the metadata document. AD FS must use a TLS certificate with a trusted root: Vinyl will not be able to retrieve the metadata document if the certificate is untrusted or otherwise invalid.
- Vinyl will need to be available via HTTPS. The Require HTTPS security provider should be enabled (or other measures taken to ensure that Vinyl is only accessible via HTTPS).
- Client machines will need to be configured to trust AD FS. Otherwise, AD FS will prompt the user to sign in.
The instructions below will refer to the following properties:
Example | Notes | |
---|---|---|
Vinyl URL | https://example.com/Vinyl/ | Vinyl must be accessible via HTTPS. The URL must include the trailing slash. The path is case-sensitive. |
Provider Name | ExampleADFS | Each Vinyl security provider is given a logical name. Since the provider name will appear in the Passive Protocol URL (see below), avoid spaces, punctuation and special characters. |
Passive Protocol URL | https://example.com/Vinyl/signin-ExampleADFS | Vinyl automatically provisions a Passive Protocol endpoint for WS-Federation security providers. Note that the Provider Name appears in the URL. |
Federation Metadata Document URL | https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml | The Federation Metadata Document URL can be retrieved from AD FS. To do so, launch the AD FS Management console. Select AD FS → Service → Endpoints. Locate the endpoint of Type Federation Metadata. |
Audience | https://example.com/Vinyl/signin-ExampleADFS | An Audience value is highly recommended to limit the scope of authentication. Consider using the Passive Protocol URL. |
Wtrealm | https://example.com/Vinyl/signin-ExampleADFS | Although the Wtrealm is arbitrary, AD FS and Vinyl must use the same value. Consider using the Passive Protocol URL. |
Create a Vinyl Security Provider for AD FS¶
To create the Security Provider, start by signing into Vinyl as an administrator:
- Navigate to the IDE
- Select the Security Providers button
- In the User Authentication panel, click the + User Authentication button
-
Provide the following:
-
Name:
Security Provider Name
(see above)Example: ExampleADFS
-
Type: WS-Federation
- Enabled: Check
- User Provisioning: Check to enable Just-in-Time (JIT) user provisioning.
- Supplies Group Membership: Check if AD FS has been configured to pass user group membership.
- Show On Login Form: Check
-
-
Click the Save button
- In the Properties panel, click the + Property button
-
Provide the following:
- Parameter: MetadataAddress
-
Value:
Federation Metadata Document URL
(see above).Example:
https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml
-
Click the Save icon (Check)
- In the Properties panel, click the + Property button
-
Provide the following:
- Parameter: Wtrealm
-
Value:
Wtrealm
(see above).Example:
https://example.com/Vinyl/signin-ExampleADFS
-
Click the Save icon (Check)
- In the Properties panel, click the + Property button
-
Provide the following:
- Parameter: Audience
-
Value: Audience (see above).
Example:
https://example.com/Vinyl/signin-ExampleADFS
-
Click the Save icon (Check)
In addition, any claims mapped in AD FS will need to be mapped in Vinyl. For example, to map the email claim:
- In the Claims panel, click the + Claim button
-
Provide the following:
-
Identifier: Claim type name.\
Example:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-
Usage: Claim type usage.\
Example: Email Address
-
-
Click the Save icon (Check)
Create an AD FS Relying Party Trust for Vinyl¶
Each instance of Vinyl must be registered within AD FS as a relying party trust. The full details of creating, configuring and maintaining relying party trusts falls outside the scope of this document. For additional information describing how to create an AD FS relying party trust, see the following TechNet article:
https://technet.microsoft.com/en-ca/library/dd807108.aspx
Creating a relying party trust requires the following information:
- Protocol: WS-Federation Passive
-
Relying party WS-Federation Passive protocol URL: Corresponds to the
Passive Protocol URL
(see above).\Example:
https://example.com/Vinyl/signin-ExampleADFS
-
Relying party trust identifier: Corresponds to the
Wtrealm
property (see above).\Example:
https://example.com/Vinyl/signin-ExampleADFS
Create an AD FS Endpoint URL for Vinyl¶
Each instance of Vinyl must be registered within AD FS as an endpoint. Create an endpoint on the Endpoints tab in AD FS as follows:
- Click Add WS-Federation button.
- Set the endpoint as the default (checkbox).
-
Trusted URL: Corresponds to the Wtrealm property (see above).
Example:
https://example.com/Vinyl/signin-ExampleADFS
Claim Mappings (Optional)¶
You may also supply optional claim mappings. The following TechNet article describes how to create AD FS relying party trust claim rules:
https://technet.microsoft.com/en-us/library/dd807115.aspx
Commonly mapped claims include:
- Email Address -
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Group Membership -
http://schemas.xmlsoap.org/claims/Group
See Claims for additional information regarding claims.
Troubleshooting¶
Configuration Settings¶
Note
Your configuration settings may vary from examples provided in this article, depending on your exact environment. For example, depending on how your App Pool is configured, you may be using demo.zudy.com/signin-AD
or demo.zudy.com/vinyl/signin-AD
.
"Runtime Error" when clicking the "Sign in with..." link¶
The URL may read: http://example.com/Vinyl/service/authentication/external?returnUrl=...
Review the Windows Event Log. Specifically, check the Application log for ASP.Net warnings with an event ID of 1309. You may find an entry with following exception message:
Unable to get document from: https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml
This indicates that Vinyl was unable to retrieve the Federation Metadata Document. Ensure that the Vinyl web server is able to make an HTTPS connection to the AD FS Metadata Document endpoint. Also ensure that the TLS certificate is valid. If the certificate is not signed by a trusted root, you may manually register it.
"Runtime Error" after signing into AD FS¶
The URL may read: http://example.com/Vinyl/signin-ADFS
Review the Windows Event Log. Specifically, check the Application log for ASP.Net warnings with an event ID of 1309. You may find an entry with one of the following exception messages.
Missing Claim¶
The identity does not contain a claim matching the given type.
This indicates that the SAML assertion is missing one or more required claims. Review the claim rule configuration.
Invalid Audience¶
IDX10214: Audience validation failed. Audiences: 'https://example.com/Vinyl'. Did not match: validationParameters.ValidAudience: 'https://example.com/Vinyl/' or validationParameters.ValidAudiences: 'null'
This indicates that the SAML assertion has an invalid audience restriction. In this particular example, the audience is missing the trailing slash. Make sure the relying party trust identifier is correct.
Print AD FS relying party trust settings¶
Execute the following PowerShell command from the AD FS server to print the relying party trust settings:
> Get-ADFSRelyingPartyTrust -Identifier https://example.com/Vinyl/signin-ADFS`
The Identifier argument corresponds to the Passive Protocol URL
(as described above).
Missing group membership¶
By default, ADFS does not include group claims in SAML assertions. Administrators must create one or more claim rules to include group membership. It is possible to create a single claim rule that includes all group membership. However, using the built-in ADFS "Group Claim" rule, a separate rule is required for each group.
The following article describes how to include group membership matching a regular expression (e.g. groups starting with "Vinyl"):
The following article describes how to use regular expressions in claim transformation rules:
Missing or incorrect Claims configuration¶
The following error message may be seen after authenticating:
The user account (`<username>`) has successfully signed in, but no available landing page has been configured for their applications.
This indicates successful configuration of the security provider and the AD FS end, but means that claims have not yet been configured or need correcting.
Review claims passed back to Vinyl from ADFS (ensure Store Claims is checked) to make sure that the correct claims are being passed (group memberships, custom attributes) to Vinyl and these can then be mapped in the Security Provider Claims configuration.