8.9.2 Integrate with Active Directory Federation Services

Integration with Active Directory Federation Services as Single Sign-On provider is only available for AD FS servers running Windows Server 2016 AD FS or Windows Server 2019 AD FS.

Below you can find a step by step tutorial on how to integrate Active Directory Federation Services IdP with MetaDefender Vault using the OpenID Connect protocol.

  1. Open the Server Manager Desktop App and navigate to ToolsAD FS Management images/download/attachments/5742397/image-20200609-073608.png

  2. Inside the AD FS Management app navigate to Application GroupsAdd Application Group

  3. Enter a descriptive name for the application group and select the Server application accessing a web API template images/download/attachments/5742397/image-20200609-074550.png

  4. To find the Login redirect URI

    1. Go to MetaDefender Vault web console and navigate to Settings → Single Sign-On

    2. Turn on Enable Single Sign-On images/download/attachments/5742397/image-20200609-101011.png

    3. It might be necessary to turn on Ignore Certificate Issues if the AD FS server is using a self-signed certificate

    4. Turn off Load User Profile because AD FS 2016 and newer do not yet support calling the “/userinfo” endpoint

    5. Authority should point to your AD FS URL. You can compose the URL by appending “/adfs“ to the AD FS server’s fully qualified domain name (FQDN for short)

    6. IP Address or Domain should point to the location of your Vault instance. Once you fill this information, Vault will automatically generate the Redirect URI images/download/attachments/5742397/image-20200609-103431.png

    7. Copy the Redirect URI and go back to the AD FS Application Settings and paste it (step 5)

  5. Add the copied URI to the list of known redirect endpoints and save the Client Identifier for later use images/download/attachments/5742397/image-20200609-081729.png

  6. We will require a client secret, so select the Generate a shared secret action and copy the generated GUID for later use images/download/attachments/5742397/image-20200609-081810.png

  7. Add the client identifier (generated at step 5) to the list of known clients images/download/attachments/5742397/image-20200609-104905.png

  8. Choose which users will be allowed to authenticate.
    For the purpose of this tutorial we will be allowing everyone images/download/attachments/5742397/image-20200609-081940.png

  9. Last but not least we must configure the allowed scopes.
    It is mandatory to select:

    1. openid → for enabling the OpenID Connect protocol

    2. profile → to receive the user’s name related claims (upn, display_name, first_name, last_name)

    3. email → to receive the user’s email claim (necessary for administrator role asignment)

    4. allatclaims → to allow the profile and email related claims to be contained in the identity token, since AD FS does not allow loading profile related claims from the userinfo endpoint images/download/attachments/5742397/image-20200609-082048.png

  10. After the above setup is complete, the newly created application group should be displayed in the application groups list images/download/attachments/5742397/image-20200609-082608.png

  11. There is just one more step to complete on the AD FS server side, attribute to claim mapping.
    Double click the newly created application group and edit the Web API images/download/attachments/5742397/image-20200609-083158.png

  12. Navigate to the Issuance Transform Rules tab and click Add Rule…

  13. Select the Send LDAP Attributes as Claims template and click Next images/download/attachments/5742397/image-20200609-083320.png

  14. Select Active Directory as an Attribute store and create the following mappings.
    MetaDefender Vault recognizes the following claims:

    1. upn (required)

    2. email (required)

    3. name (optional)

    4. given_name (optional)

    5. family_name (optional)

    images/download/attachments/5742397/image-20200610-101721.png

  15. Click Finish and Apply

  16. On Vault’s side, input the Client ID (created at step 5) and Client Secret (created at step 6) images/download/attachments/5742397/image-20200609-084627.png

  17. In case of misplacement, the Client ID and Client Secret can be fetched by accessing the application group’s affiliated server application images/download/attachments/5742397/image-20200609-130920.png images/download/attachments/5742397/image-20200609-131218.png

  18. Add relevant Administrator Emails to select which users should be granted administrator rights
    and add the allatclaims scope to Integration Scopes images/download/attachments/5742397/image-20200609-084741.png

  19. If everything is ready, click Update.

  20. Log out of MetaDefender Vault

  21. You will notice that there is a new LOGIN WITH SSO button on the login page images/download/attachments/5742397/image-20200608-125051.png

  22. Click LOGIN WITH SSO. You should be redirected to Okta to login. Once logged in, you will be redirected back to MetaDefender Vault and automatically logged in.