Configuring Active Directory Federation Services Parent topic

This section describes how to configure a federation server using Active Directory Federation Services (AD FS) to work with Deep Discovery Web Inspector.
Note
Note
Deep Discovery Web Inspector supports connecting to the federation server using AD FS 4.0 and 5.0.
Active Directory Federation Services (AD FS) provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
  • You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve as a federation server.
  • You are logged on to the management console as a Deep Discovery Web Inspector administrator.
  • You have obtained the metadata file from Deep Discovery Web Inspector.
  • You have configured web browser settings on each endpoint to trust Deep Discovery Web Inspector and the federation server.

Procedure

  1. Go to StartAll ProgramsAdministrative Tools to open the AD FS management console.
  2. Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
  3. Complete settings on each tab of the Add Relying Party Trust Wizard screen.
    1. On the Welcome tab, select Claims aware and click Start.
    2. On the Select Data Source tab, select Import data about the relying party from a file, click Browse to select the metadata file you obtain from Deep Discovery Web Inspector; then, click Next.
    3. On the Specify Display Name tab, specify a display name for Deep Discovery Web Inspector, for example, "Deep Discovery Web Inspector", and click Next.
    4. On the Choose Access Control Policy tab, select Permit everyone or Permit specific group. If you select Permit specific group, select one or more groups in Policy. Then, click Next.
    5. On the Ready to Add Trust tab, click Next.
    6. On the Finish tab, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close.
      The Edit Claim Rules screen appears.
  4. On the Issuance Transform Rules tab, click Add Rule....
  5. Complete settings on each tab of the Add Transform Claim Rule Wizard screen.
    1. On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
    2. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
    3. Select the SAM-Account-Name LDAP attribute and specify Name ID as the outgoing claim type for the attribute.
    4. Click OK.

    LDAP attribute

    Claim Rule Name
    LDAP Attribute
    Outgoing Claim Type
    <user-defined rule name>
    SAM-Account-Name
    Name ID
    Note
    Note
    Deep Discovery Web Inspector does not restrict the LDAP Attribute. You can usually select SAM-Account-Name or User-Principal-Name as the LDAP Attribute.
  6. Configure settings for each AD group that you permitted in step 3d and to which you want to grant access to Deep Discovery Web Inspector.
    Note
    Note
    • The following procedure shows you how to configure settings using the Send Group Membership as a claim rule for each AD group. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.
    • To customize settings based on your requirements, it is recommended that you use the Send Claims using a Custom Rule option.
    1. Click Add Rule....
      The Add Transform Claim Rule Wizard screen appears.
    2. On the Choose Rule Type tab, select Send Group Membership as a Claim from the Claim rule template drop-down list, and click Next.
      The Configure Claim Rule tab appears.
    3. For Claim rule name, type the name of the AD group.
    4. For User's group, click Browse and then select the AD group.
    5. For Outgoing claim type, type "memberOf".
    6. For Outgoing claim value, type the name of the AD group.
    7. Click Apply and then click OK.

      Group membership rule

      Claim Rule Name
      User Group
      Outgoing Claim Type
      Outgoing Claim Value
      <user-defined rule name>
      <user group name in AD FS>
      memberOf
      <user group name in AD FS>
      Note
      Note
      Specify the Outgoing claim type by using the Logon group attribute configured in the Identity provider service of Deep Discovery Web Inspector. The default Logon group attribute of Deep Discovery Web Inspector is memberOf, so the Outgoing claim type here is set to memberOf for example.
  7. Click Apply and then OK.