This article assumes the following:
- You have AD FS installed;
- You have CIM installed;
- You know the URL for the AD FS metadata;
- You know the URL for the CIM metadata:
https://<url of your cim>/saml/metadata;
- You have an account where the email attribute contains the logon email address.
Step 1: Create SAML 'Identity Provider' in CIM
- Open the admin interface of your CIM instance;
- Go to 'Config > Identity Providers';
- Click + and add an Identity Provider with the following settings:
The IDP metadata field should contain the metadata from your AD FS instance.
Step 2: Add 'Relying Party Trust'
In this step we'll be actually connection CIM to AD FS.
- Open AD FS management console;
- On the right, click 'Add Relying Party Trust';
- Choose 'Claims aware':
- Import data, from URL (
https://<url of you cim>/saml/metadata), about the relying party:
- Choose a display name for the relying party;
- Choose an access policy:
Step 3: Add 'Claim Issuance Rule'
We have to create a custom rule to set the all the proper values for the name identifier.
- With AD FS management console still opened, right click your relying party trust and choose: 'Edit Claim Issuance Policy...':
- Add a new rule from template: 'Send Claims Using a Custom Rule'
- Give the rule a name and paste the following line of text in the 'Custom Rule' box:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "<Identifier>", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<Identifier>");
Because we want both the message and the assertion signed, we have to execute the following command:
- Open a Powershell window and type:
Set-AdfsRelyingPartyTrust -TargetName "<Display name>" -SamlResponseSignature "MessageAndAssertion"
Step 4: Testing the setup
- Open a browser window and go to:
https://<url of your cim>/sessions/new/saml;
- You'll get redirected to the AD FS login screen:
- Login with your email address and your password;
- You can now create your enter your personal information:
* The registration screen is showed when CIM expects to have more attributes of a user which are provisioned by AD FS. This is depending on what AD FS provisions and which CIM-attributes are required, which is configurable.
Done, your user can now use their federated AD FS identity to login to CIM!