9. NexLog DX-FIPS ADFS Configuration

New in version 2024.1.

There are two important concepts to understand in configuring SAML with the NexLog 740 DX-Series Recorder. The terms are not specific to NexLog 740 DX-Series Recorder, but are widely known in the SAML paradigm. The two terms are:

Service Provider(SP) - For the purposes of configuration the Service Provider(SP) is the NexLog 740 DX-Series Recorder itself.

Identity Provider(IdP) - The Identity Provider we will configure is a Microsoft ADFS server.

Another important concept to understand is that both the SP, and the IdP, have an entityID. An entityID is nothing more than an identifier. While we programmatically pull the entityID of the IdP from its MetaData file, you will need to provide an entity ID for the SP.

It’s important to note that a TLS certificate must be configured and enabled on the recorder and the FQDN, matching the certificate, must be known. For the purposed of this document the value, sp.nexlog.host, will be used.

9.1. ADFS Configuration

We’ll start with a clean slate on the ADFS server. The graphic below shows the ADFS management tool on the server itself.

Relying Party Trusts

Fig. 9.1 Relying Party Trusts

We need to ensure that the ADFS server has a few items in its properties for its Metadata to be used later in this configuration process. Right click the Service folder, and choose Edit Federation Service Properties

Edit Federation Service Properties

Fig. 9.2 Edit Federation Service Properties

Once the properties dialog box is visible, click on the Organization tab.

Organization Tab

Fig. 9.3 Organization Tab

If the Support contact information is not populated, you will need to populate with some information for the Metadata to be imported.

The next step is to either right click the Relying Party Trusts folder and choose Add Relying Party Trust, or on the right side of the ADFS management window, click Add Relying Party Trust.

Add Relying Party Trust

Fig. 9.4 Add Relying Party Trust

This will bring up the Add Relying Party Trust Wizard, which will default to the Claims aware selection.

Add Relying Party Trust Wizard

Fig. 9.5 Add Relying Party Trust Wizard

Click Next to continue.

Choose the third option, Enter data about the relying party manually

Enter Data Relying Party Manually

Fig. 9.6 Enter Data Relying Party Manually

Click Next to continue

Give the new relying party a name. This is simply used for display purposes in the ADFS server itself. Additionally, you may add notes here as well.

Give Relying Party Name

Fig. 9.7 Give Relying Party Name

Click Next to continue.

On the Configure Certificate page, click Next to continue the wizard.

Configure Certificate

Fig. 9.8 Configure Certificate

Click Next to continue

Once on the Configure URL page, you will need to select the second option, Enable support for the SAML 2.0 WebSSO protocol. In the box for the Relying party, we will construct the URL using the FQDN referenced in the beginning of this document, sp.nexlog.host. You will need to provide the FQDN that you have provisioned, but the rest of the URL should be as shown below.

Configure URL

Click Next to continue to the Configure Identifiers dialog.

Though ADFS doesn’t make reference to it in this dialog, the information that it is looking for is the entityID of the Service Provider(SP). This can be any value if it is unique within the ADFS server. Standard practice is to make this a URL, though the URL does not have to point to anything, nor does it need to resolve. It’s simply used as a unique identifier. For this document, we will use the value, https://sp.nexlog.host/relyingidentifier. Make note of this value, as it will be used later to configure the recorder side of SAML. Enter the value in the text box, then click the Add button to add in the bottom text box.

Configure Identifiers

Fig. 9.9 Configure Identifiers

Click the Next button to continue.

On the Choose Access Control Policy page, highlight the Permit everyone entry, then click Next.

Choose Access Control Policy

Fig. 9.10 Choose Access Control Policy

On the Ready to Add Trust page, click Next to continue to the last page in the dialog.

Ready to Add Trust

Fig. 9.11 Ready to Add Trust

Finally, on the Finish page, leave the Configure claims issuance policy for this application checkbox checked, and click Close.

Finish Configure Claims

Fig. 9.12 Finish Configure Claims

When you click the Close button, a new dialog will appear that will allow you to edit the claims for the newly configured relying party.

Edit Claim Issuance Policy

Fig. 9.13 Edit Claim Issuance Policy

Click the Add rule button to add a claims rule. There are several that will need to be added.

Add Transform Claim Rule Wizard

Fig. 9.14 Add Transform Claim Rule Wizard

Click Next to continue.

The first claim will add is a UPN claim. You can provide any name you wish, for the purpose of this document the name NexLog Claim will be used.

Under Attribute store, select the Active Directory entry.

Under the left side drop down, choose the User-Principal-Name option, and on the right side drop down, select the UPN option.

In the next row, on the left side, choose the Token-Groups - Qualified by Long Domain Name, and on the right, choose the Group option.

Configure Claim Rule

Fig. 9.15 Configure Claim Rule

Click Finish, Apply, then Ok to finish the process and dismiss the dialogs.

We need to add one more URLs to the configuration, and since ADFS doesn’t support adding two via the wizard, we need to edit the properties of the newly configured relying party.

Right click on the relying party that was just created and choose the Properties option.

Relying Party Properties

Fig. 9.16 Relying Party Properties

In the properties dialog, choose the Endpoints tab, then click on the Add SAML button.

Endpoints Add SAML

Fig. 9.17 Endpoints Add SAML

On the Add an Endpoint dialog. Choose the POST binding.

Increase the Index value by 1.

Enter the shown URL in the Trusted URL text box replacing sp.nexlog.host with your FQDN.

This is the same URL that was in step one of the Add Relying Party Trust Wizard, with the addition of port 8443.

Add Relying Party Trust 8443

Fig. 9.18 Add Relying Party Trust 8443

Click Apply, then OK to finish the configuration.

9.2. Recorder SAML Configuration

Once the ADFS server is configured, we can turn our attention to configuring SAML on the recorder itself.

Note

When accessing Configuration Manager, the login icon will not be available in the lower righthand corner. You’ll need to login by going to <host>/admin.

Once logged in as an administrator, you can select:

Users and Security → Authentication Providers

Auth Providers

Fig. 9.19 Auth Providers

Then click the Add Auth Provider button to add ADFS as an Identity Provider.

You will not be able to click on the Enabled button until certain fields are filled in. We’ll start from

top to bottom.

  • Type: Will default to SAML, but if it isn’t, click the Type drop down and choose SAML

  • Display Name: This can be any value and is simply a name to give to the configuration, for example “DISA”.

  • User Provisioning: Click this checkbox.

  • Active Directory Federation Services (ADFS): Click the checkbox.

  • Display Order: Select a value, this allows you to set the list order of authentication providers configured.

  • Relying Provider Identifier: Recall from the ADFS configuration, that the service provider is identified by an entityID. This field must match what was configured in ADFS. We’ll use the same value outlined in the ADFS configuration document: https://sp.nexlog.host/relyingidentifier

  • Recorders Fully Qualified Domain Name (FQDN): This is the FQDN configured on the recorder and matching the TLS certificate installed on the recorder.

  • Generate New x.509 Certification: You can leave this unchecked, however checking the box will trigger new certificates to be generated. The certificates are used in the SAML process itself. If you are editing a previously configured authentication provider, generating new certificates may require you to delete the old signing and encryption certificates on the ADFS server.

  • Identity Provider Metadata Configuration: To populate this box, you first want to download the Metadata file from the ADFS server. ADFS uses a well-known URL to do so. You can point a browser at:

    • https://<FQDN of ADFS Server>/FederationMetadata/2007-06/FederationMetadata.xml

This will trigger a download of the Metadata file, save to your desktop, then click the Browse button to

choose and upload the file.

Click on the Enabled button on the top of the page.

Auth Provider Setting Full

Fig. 9.20 Auth Provider Setting Full

9.2.1. SAML Group Mapping

Verify User Groups in Configuration Manager

Begin by ensuring that your recorder has User Groups correctly set up. Log in to Configuration Manager and go to ‘Users and Security’, and select the ‘User Groups’ page. Here, you will find different groups with varying access levels. Some groups may have access only to the MWP (Media Workflow Platform), others solely to Configuration Manager, and some may have access to both.

Configure Active Directory User Groups

Next, make sure that your Active Directory Users and Computers have user groups configured with the correct permissions, aligning with those defined in the Configuration Manager.

Setting Up Authentication Provider in Configuration Manager

Under ‘Users and Security’, locate the ‘Authentication Providers’ section. Here, you will create a new Authentication Provider. Once created, navigate to the ‘Groups’ page within this section to begin setting up Group Mapping.

Mapping Recorder Groups to Directory Groups

On the ‘Groups’ page, you will see a list of ‘Recorder Group Name’ entries. These are the User Groups previously identified on the ‘User Groups’ page. Your task here is to map each ‘Recorder Group Name’ to the corresponding ‘Directory Group Name’ from Active Directory.

Groups Mapping

Fig. 9.21 Groups Mapping

Accurate Group Name Entry

It’s critical to enter the correct Active Directory Group name with exactness. For instance, a group named ‘Instant Recall’ in the recorder should be mapped to its counterpart in Active Directory, like ‘ADJJM123-NLInstant Recall’. Pay attention to punctuation and spaces in the names.

Finalizing the Process

This mapping ensures that when a SAML AD user is created and made a member of a group like ‘ADJJM123-NLInstant Recall’, the system correctly identifies the mapping. This allows the user to log in to the MWP with the appropriate ‘Instant Recall’ permissions.

Important

If the mapping is incorrect, the user may be authenticated but will not gain access to MWP functionalities.

Click the Save button, then OK to acknowledge the webserver restart. You will then be returned to the Authentication Providers list, where you will see your newly configured provider.

Webserver Restart

Fig. 9.22 Webserver Restart

SAML Complete

Fig. 9.23 SAML Complete

9.3. Verify MediaWorks Replay Configuration

After successfully configuring ADFS, log in to MediaWorks by navigating to the recorder and logging in.

MediaWorks Login

Fig. 9.24 MediaWorks Login