7.3.1. ADFS Configuration

7.3.1.1. Prerequisites

Microsoft ADFS Server

The ADFS server is a Windows Server role that provides users with single sign-on access to systems and applications located across organizational boundaries. It authenticates users to multiple applications, including Office 365, and provides seamless access to resources.

TLS Certificate

A valid TLS certificate must be installed and enabled on the recorder.

Entity ID

The entity ID is a unique identifier for the service provider (SP) and the identity provider (IdP). The entity ID for the SP must be provided, and the entity ID for the IdP is programmatically pulled from its metadata file.

Metadata File

The metadata file is an XML document that contains information about the IdP. It includes the IdP’s entity ID, public key, and other relevant information. The metadata file is used to configure the SP to trust the IdP.

User Groups

User groups must be correctly set up in the recorder and Active Directory. The groups in the recorder must align with those in Active Directory to ensure proper group mapping for SAML authentication.

Configuration Manager

Access to Configuration Manager is required to configure the SAML authentication provider on the recorder. The Configuration Manager login icon will not be available in the lower right corner when accessing Configuration Manager. You will need to log in by going to <host>/admin.

MediaWorks Replay

After successfully configuring ADFS, log in to MediaWorks by navigating to the recorder and logging in.

7.3.1.1.1. Configuration Steps

We’ll start with a clean slate on the ADFS server. The graphic below shows the ADFS management tool on the server itself.

Relying Party Trusts

Fig. 7.1 Relying Party Trusts

We need to ensure that the ADFS server has a few items in its properties for its Metadata to be used later in this configuration process. Right click the Service folder, and choose Edit Federation Service Properties

Edit Federation Service Properties

Fig. 7.2 Edit Federation Service Properties

Once the properties dialog box is visible, click on the Organization tab.

Organization Tab

Fig. 7.3 Organization Tab

If the Support contact information is not populated, you will need to populate with some information for the Metadata to be imported.

The next step is to either right click the Relying Party Trusts folder and choose Add Relying Party Trust, or on the right side of the ADFS management window, click Add Relying Party Trust.

Add Relying Party Trust

Fig. 7.4 Add Relying Party Trust

This will bring up the Add Relying Party Trust Wizard, which will default to the Claims aware selection.

Add Relying Party Trust Wizard

Fig. 7.5 Add Relying Party Trust Wizard

Click Next to continue.

Choose the third option, Enter data about the relying party manually

Enter Data Relying Party Manually

Fig. 7.6 Enter Data Relying Party Manually

Click Next to continue

Give the new relying party a name. This is simply used for display purposes in the ADFS server itself. Additionally, you may add notes here as well.

Give Relying Party Name

Fig. 7.7 Give Relying Party Name

Click Next to continue.

On the Configure Certificate page, click Next to continue the wizard.

Configure Certificate

Fig. 7.8 Configure Certificate

Click Next to continue

Once on the Configure URL page, you will need to select the second option, Enable support for the SAML 2.0 WebSSO protocol. In the box for the Relying party, we will construct the URL using the FQDN referenced in the beginning of this document, sp.nexlog.host. You will need to provide the FQDN that you have provisioned, but the rest of the URL should be as shown below.

Configure URL

Fig. 7.9 Configure URL

Click Next to continue to the Configure Identifiers dialog.

Though ADFS doesn’t make reference to it in this dialog, the information that it is looking for is the entityID of the Service Provider(SP). This can be any value if it is unique within the ADFS server. Standard practice is to make this a URL, though the URL does not have to point to anything, nor does it need to resolve. It’s simply used as a unique identifier. For this document, we will use the value, https://sp.nexlog.host/relyingidentifier. Make note of this value, as it will be used later to configure the recorder side of SAML. Enter the value in the text box, then click the Add button to add in the bottom text box.

Configure Identifiers

Fig. 7.10 Configure Identifiers

Click the Next button to continue.

On the Choose Access Control Policy page, highlight the Permit everyone entry, then click Next.

Choose Access Control Policy

Fig. 7.11 Choose Access Control Policy

On the Ready to Add Trust page, click Next to continue to the last page in the dialog.

Ready to Add Trust

Fig. 7.12 Ready to Add Trust

Finally, on the Finish page, leave the Configure claims issuance policy for this application checkbox checked, and click Close.

Finish Configure Claims

Fig. 7.13 Finish Configure Claims

When you click the Close button, a new dialog will appear that will allow you to edit the claims for the newly configured relying party.

Edit Claim Issuance Policy

Fig. 7.14 Edit Claim Issuance Policy

Click the Add rule button to add a claims rule. There are several that will need to be added.

Add Transform Claim Rule Wizard

Fig. 7.15 Add Transform Claim Rule Wizard

Click Next to continue.

The first claim will add is a UPN claim. You can provide any name you wish, for the purpose of this document the name NexLog Claim will be used.

Under Attribute store, select the Active Directory entry.

Under the left side drop down, choose the User-Principal-Name option, and on the right side drop down, select the UPN option.

In the next row, on the left side, choose the Token-Groups - Qualified by Long Domain Name, and on the right, choose the Group option.

Configure Claim Rule

Fig. 7.16 Configure Claim Rule

Click Finish, Apply, then Ok to finish the process and dismiss the dialogs.

We need to add one more URLs to the configuration, and since ADFS doesn’t support adding two via the wizard, we need to edit the properties of the newly configured relying party.

Right click on the relying party that was just created and choose the Properties option.

Relying Party Properties

Fig. 7.17 Relying Party Properties

In the properties dialog, choose the Endpoints tab, then click on the Add SAML button.

Endpoints Add SAML

Fig. 7.18 Endpoints Add SAML

On the Add an Endpoint dialog. Choose the POST binding.

Increase the Index value by 1.

Enter the shown URL in the Trusted URL text box replacing sp.nexlog.host with your FQDN.

This is the same URL that was in step one of the Add Relying Party Trust Wizard, with the addition of port 8443.

Add Relying Party Trust 8443

Fig. 7.19 Add Relying Party Trust 8443

Click Apply, then OK to finish the configuration.

This completes the Microsoft ADFS side of the configuration and you can now move on to Recorder SAML Configuration.