Active Directory Federation Services

Introduction

Active Directory Federation Services (ADFS) is the single sign-on (SSO) solution. It facilitates access to all integrated applications and systems with just your Active Directory (AD) credentials.

Install the ADFS role

To install the ADFS role:

1. Open Server Manager>Manage>Add roles and features. The Add Roles and Features wizard is launched.

2. On the Before you begin page, click Next.

3. On the Select installation type page, select Role-based or Feature-based installation and then click Next.

4. On the Select destination server page, click Select a server from the server pool and click Next.

5. On the Select server roles page, select Active Directory Federation Services and click Next.

6. On the confirmation page, click Install. The wizard displays the installation progress.

7. Verify the installed component and click Close.

Configure the federation server

To configure the federation server:

1. On the Server Manager Dashboard, click the Notifications flag and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched.

2. On the Welcome page, select Create the first federation server in a federation server farm and click Next.

3. On the Connect to Active Directory Domain Services page, specify an account with domain administrator rights for the Active Directory domain that this system is connected to and then click Next.

4. On the Specify Service Properties page, enter the following details before clicking Next:

   1. Browse to the location of the SSL certificate and import it.

   2. Enter a Federation Service Name. This is the same value provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).

   3. Enter a Federation Service Display Name.

5. On the Specify Service Account page, select Use an existing domain user account and click Next.

6. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and click Next.

7. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed and click Configure.

8. Review the results and check whether the configuration has been completed successfully on the Results page.

Create a relying party

To create a relying party:

1. On the Start menu, click Administrative Tools > AD FS Management. The ADFS Management console is launched.

2. Click Relying Party Trusts. The wizard to add a relying party is launched.
3. On the Add Relying Party Trusts Wizard, select Claims Aware and then click Start.

4. Under Select Data Source, select Enter data about the relying party manually.
5. In Specify Display Name field, enter MangoApps Cloud Platform.
6. In the Configure URL section, select Enable Support for SAML 2.0 WebSSO Protocol and enter Relying party service URL as https://adfs.xxxx.com/adfs/ (example).
7. On the Configure Identifiers page, enter Relying Party Trust Identifier and click Add.

8. Under Choose Access Control Policy, select Permit everyone and click Next.

9. On the Finish page, select Configure claims issuance policy for this application and click Close. The Claim Issuance policy page is launched.

10. If the Claim Issuance Policy page does not open, open AD FS Management Snap and right-click Relying on party trust > select Edit Claim Issuance Policy.

Create a new claim

1. Right-click MangoApps Cloud under Relying Party Trusts list and select Edit Claim Issuance Policy from the menu.

2. On the Issuance Transform Rules tab, click Add Rule.

3. Under Select Rule Template, set Send LDAP attributes as Claims as the rule template and click Next.
4. In the Edit Rule section, set the claim rule name as LDAP Directory.

1. Enter the appropriate values in each field based on the descriptions provided below.

Click OK.

Create a custom rule

1. On the Edit Claim Issuance Policy window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page is displayed.

2. From the Claim rule template list, select Transform an Incoming Claim and click Next. The Edit Rule – LDAP EMAIL window is displayed.

3. Enter appropriate values based on the actions suggested for each field.

4. Click Finish.

Add one consumer endpoint

Configure the Single Sign-On settings

To configure the single sign-on settings login to MangoApps admin console.

1. On the MangoAppsCloud Platform console, go to Settings.

2. Open the Single Sign-On tab and click Edit.

3. Enter appropriate attribute values based on the descriptions provided below for each field.

4. Click Save. After this configuration, SSO can be enabled for administrators and users.

Enable SSO for Administrators

1. On the MnagoApps Cloud Platform console, got to Settings.

2. On the Single Sign-On settings, click Edit. The Single Sign-On Settings page is displayed.

3. Select Enable single sign-on for administrators.

4. Click Save.

FAQs

What is the federation metadata address (hostname or URL) for Mango Apps?

Ans: We do not have federation metadata published, you need to create a Relying Party Trust in your ADFS server and then put the metadata of your ADFS server in MA.

MA will read that metadata and configure it.

What is the "Relying Party Identifier" used for MA?

Ans: It should be "https://<yourdomain>.mangoapps.com/saml/consume".

What is the SAML assertion consumer end point to be set ?

Ans: It should be "https://<yourdomain>.mangoapps.com/saml/consume" and binding should be "POST".

What claim rules to be set ?

Ans: You need to use LDAP Attribute "E-Mail Address" as "NameID" as the Outgoing claim type by transforming the incoming claim.