Configuring Active Directory Federation Services Parent topic

This section describes how to configure a federation server using Active Directory Federation Services (AD FS) to work with Deep Discovery Inspector.
Note
Note
Deep Discovery Inspector supports connecting to the federation server using AD FS 4.0 and 5.0.
Active Directory Federation Services (AD FS) provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
  • You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve as a federation server.
  • You are logged on to the management console as a Deep Discovery Inspector administrator.
  • You have obtained the metadata file from Deep Discovery Inspector.
  • You have configured web browser settings on each endpoint to trust Deep Discovery Inspector and the federation server.

Procedure

  1. Go to StartAll ProgramsAdministrative Tools to open the AD FS management console.
  2. Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
  3. Complete settings on each tab of the Add Relying Party Trust Wizard screen.
    1. On the Welcome tab, select Claims aware and click Start.
    2. On the Select Data Source tab, select Import data about the relying party from a file, click Browse to select the metadata file you obtain from Deep Discovery Inspector; then, click Next.
    3. On the Specify Display Name tab, specify a display name for Deep Discovery Inspector, for example, "Deep Discovery Inspector", and click Next.
    4. On the Choose Access Control Policy tab, select Permit everyone and click Next.
    5. On the Ready to Add Trust tab, click Next.
    6. On the Finish tab, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close.
      The Edit Claim Rules screen appears.
  4. On the Issuance Transform Rules tab, click Add Rule....
  5. Complete the settings on each tab of the Add Transform Claim Rule Wizard screen.
    1. On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
    2. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
    3. Select the User-Principal-Name LDAP attribute and specify Name ID as the outgoing claim type for the attribute.
    4. Click OK.
  6. Click Add Rule....
    The Add Transform Claim Rule Wizard screen appears.
  7. Complete the settings on each tab of the Add Transform Claim Rule Wizard screen.
    1. On the Choose Rule Type tab, select Send Group Membership as a Claim from the Claim rule template drop-down list, and click Next.
      The Configure Claim Rule tab appears.
    2. For Claim rule name, type the name of the AD group.
    3. For User's group, click Browse and then select the AD group.
    4. For Outgoing claim type, type DDI_GROUP.
    5. For Outgoing claim value, type the name of the AD group.
    6. Click Apply and then click OK.
  8. Collect the single sign-on URL and export the Identity Provider metadata for AD FS.
    1. On the AD FS management console, go to AD FSServiceEndpoints.
    2. In the right pane, under EndpointsMetadata, in the Federation Metadata row, copy the URL path.
    3. Add the host name of the AD FS computer to the URL path that you copied.
      For example, https://hostname/FederationMetadata/2007-06/FederationMetadata.xml
    4. To retrieve the Identity Provider metadata, use a web browser to navigate to the complete URL that you obtained in the previous step.
    5. Save the Identity Provider metadata file as an XML file.
      Note
      Note
      Import this metadata file to Deep Discovery Inspector.