Connect Microsoft ADFS to PE
Sections
Connect to Microsoft Active Directory Federation Services (ADFS) on a Windows server, enabling users to log in to PE using their ADFS credentials.
Add PE certificates to the ADFS server
To ensure ADFS trusts the certificates PE uses to sign requests, add the Puppet CA certificates to the Trusted Root CA store on the ADFS server. There can be one or two certificates to import, depending on which version of PE you upgraded from.
Connect to ADFS in the PE console
Use the PE console to connect ADFS.
- In the console, on the Access control page, click the SSO tab.
- Click Configure.
- Fill in the configuration information using the ADFS configuration reference.
- Commit changes.
ADFS configuration reference
Configure ADFS in the PE console with these settings and values.
ADFS configuration values
In the PE console, configure these values in the Identity provider information and Service provider configuration options sections of the SSO configuration page.
Setting | Maps to | ADFS configuration value |
---|---|---|
Display name | display_name |
Example: "ADFS" |
Identity provider entity ID |
idp_entity_id
|
An HTTP or HTTPS URL indicating the ADFS Identifier. To find your URL, in the ADFS Microsoft Management Console, click Edit Federation Service Properties. Example: "http://<federation service name>/adfs/services/trust" |
Identity provider SSO URL | idp_sso_url |
The ADFS Single Sign On URL. To find your SSO URL, in the ADFS Microsoft Management Console, click ADFS > Service > Endpoints. Under Token Issuance, in the Type column, click on the endpoint that specifies SAML 2.0/WS-Federation. Example: "https://<federation service name >/adfs/ls/" |
Identity provider SLO URL | idp_slo_url |
The ADFS Single Sign On URL with the string ?wa=wsignout1.0 added to the end.Example: "https://<federation service name>/adfs/ls/?wa=wsignout1.0" |
Identity provider SLO response URL | idp_slo_response_url |
The same as the ADFS SLO URL. Example: "https://<federation service name>/adfs/ls/?wa=wsignout1.0" |
IdP certificate | idp_certificate |
The ADFS Token Signing certificate. To get the certificate, run
this PowerShell script on your ADFS
server:
Example: -----BEGIN CERTIFICATE----- MIIGADCCA+igAwIBAgIBAjANBgkqhkiG9w0BAQsFADBqMWgwZgYDVQQDDF9QdXBw ... STkGww== -----END CERTIFICATE----- |
Name ID encrypted? | name_id_encrypted |
|
Sign authentication requests? | authn_request_signed |
|
Sign logout response? | logout_response_signed |
|
Sign logout requests? | logout_request_signed |
|
Require signed messages? | want_messages_signed |
|
Require signed assertions? | want_assertions_signed |
|
Sign metadata? | sign_metadata |
|
Require encrypted assertions? | want_assertions_encrypted |
|
Require name ID encrypted? | want_name_id_encrypted |
|
Requested authentication context | requested_auth_context |
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
Requested authentication context comparison | requested_auth_context_comparison |
exact |
Allow duplicated attribute name? | allow_duplicated_attribute_name |
false |
Validate xml? | want_xml_validation |
|
Signature algorithm | signature_algorithm |
rsa-sha256 |
Attribute binding values for ADFS
In the PE console, add these values in the Attribute binding section of the SSO configuration page.
Attribute binding value | ADFS value |
---|---|
User | http://schemas.xmlsoap.org/claims/CommonName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
Display name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Groups | http://schemas.xmlsoap.org/claims/Group |
Add the Relying Party Trust for PE to ADFS
Add PE to ADFS as a Relying Party Trust using a metadata address, allowing ADFS to recognize and communicate with PE as the service provider. Use the PE console to retrieve the metadata URL, then add it to ADFS using the ADFS Management console.
- In the PE console, on the Access Control page, click the SSO tab, click Show configuration information, and copy the SAML Metadata URL.
- In the ADFS Management console, click Relying Party Trusts, then click Add Relying Trust Party, and select Claims aware.
- When the wizard opens, click Start.
- Select Import data about relying party published online or on a local network and enter the SAML Metadata URL, then click Next.
- Enter a Display name for your PE server, taking note of the name to refer to later, then click Next.
- Accept the defaults for the Access Control Policy and click Next.
- On the Ready to Add Trust page, click Next.
- On the Finish page, uncheck Configure claims issuance policy for this application and click Close.
Disable certificate revocation checking
ADFS can't look up the certificate revocation status because certificates from PE don't include CRL information. Use PowerShell to disable certificate revocation checking so ADFS doesn't perform certificate revocation checks on the relying party trust, resulting in trust failures.
Configure the Claim Issuance Policy in ADFS
Add rules to the Claims Issuance Policy so it can send the correct LDAP attribute and user group information to PE.
Configure an RBAC group and role in PE
In the PE console, configure RBAC to grant permissions to new ADFS user groups.
Test your SSO connection
Ensure your connection between PE and ADFS works by logging out and logging back in.