Configuration of Active Directory Federation Services (AD FS)

Active Directory Federation Services can be used as identity provider. The following chapters describe how to configure AD FS for the Fabasoft Cloud.

Prerequisites

The following prerequisites must be fulfilled:

• Microsoft Active Directory Federation Services 2.0: new window
  Note: Microsoft Windows Server 2008 R2 includes AD FS 1.0, which does not support SAML 2.0 - you need to install the AD FS 2.0 'release to web' (RTW) package: new window.
• The hotfix http://support.microsoft.com/kb/2159360/en-us: new window needs to be installed.
• To be able to login via the mobile app you need a valid HTTPS certificate for the AD FS server.

Configure Your AD FS

To configure your AD FS for the Fabasoft Cloud, perform the following steps:

1. Start the “AD FS Management” (“Server Manager” > “Tools”).
2. On the context menu of “Relying Party Trusts”, click “Add Relying Party Trust”.
   
3. Select Claims aware and click “Start”.
   
4. Enter the URL https://<server>/idp/saml/metadata (e.g. https://idp.cloud.fabasoft.com/idp/saml/metadata) in the Federation metadata address field and click “Next”.
   Note: Alternatively, you can download the metadata.xml from the URL and use the second option to import the file.
   
5. Enter a display name and click “Next”.
   
6. Choose an access control policy and click “Next”.
   
7. Check the settings and click “Next”.
   
8. Select Configure claims issuance policy for this application and click “Close”.
   
9. Click “Add Rule” to open the “Add Transform Claim Rule Wizard”.
   
10. In the Claim rule template field, select “Send LDAP Attributes as Claims” and click “Next”.
    
11. Enter a rule name, add the attributes you want to send and click “Finish”.
    
    At least the following outgoing claim types must be defined:
    • Name ID
      The LDAP attribute that is assigned to the outgoing claim type “Name ID” must contain the user’s e-mail address, which is used for the Fabasoft Cloud log-in.
    • Surname
    • Given Name
12. Click “OK”.
    
13. On the context menu of the created relying party trust, click “Properties”.
    
14. Click the “Advanced” tab, select the secure hash algorithm “SHA-256” and click “OK”.
    

Metadata

The FederationMetadata.xml metadata file can be opened and saved using the following link:
https://<your AD FS>/FederationMetadata/2007-06/FederationMetadata.xml

The XML file must be uploaded to your cloud organization (“Advanced Settings” > “Login Options” > “Active Directory / SAML 2.0” action).