This section
describes how to configure a federation server using Active Directory Federation
Services (AD FS) to work with Deep Discovery Analyzer.
NoteDeep Discovery Analyzer
supports connecting to the federation server using AD FS 4.0 and 5.0.
|
Active Directory Federation Services (AD FS) provides
support for claims-aware identity solutions that involve Windows Server and Active
Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security
Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
-
You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve as a federation server.
-
You are logged on to the management console as a Deep Discovery Analyzer administrator.
-
You have obtained the metadata file from Deep Discovery Analyzer.
-
You have configured web browser settings on each endpoint to trust Deep Discovery Analyzer and the federation server.For more information, see Configuring Endpoints for Single Sign-on through AD FS.
Procedure
- Go to to open the AD FS management console.
- Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
- Complete settings on each tab of the Add
Relying Party Trust Wizard screen.
- On the Welcome tab, select Claims aware and click Start.
- On the Select Data Source tab, select Import data about the relying party from a file, click Browse to select the metadata file you obtain from Deep Discovery Analyzer; then, click Next.
- On the Specify Display Name tab, specify a display name for Deep Discovery Analyzer, for example, "Deep Discovery Analyzer", and click Next.
- On the Choose Access Control Policy tab, select Permit everyone or Permit specific group. If you select Permit specific group, select one or more groups in Policy. Then, click Next.
- On the Ready to Add Trust tab, click Next.
- On the Finish tab, select
Open the Edit Claim Rules dialog for this relying party
trust when the wizard closes and click
Close.The Edit Claim Rules screen appears.
- On the Issuance Transform Rules tab, click Add Rule....
- Complete settings on each tab of the Add Transform Claim
Rule Wizard screen.
- On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
- On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
- Select the User-Principal-Name LDAP attribute and specify Name ID as the outgoing claim type for the attribute.
- Click OK.
LDAP attribute
Claim Rule NameLDAP AttributeOutgoing Claim Type<user-defined rule name>User-Principal-NameName ID - Configure settings for each AD group that you permitted in step 3d and to which
you want to grant access to Deep Discovery Analyzer.
Note
-
The following procedure shows you how to configure settings using the Send Group Membership as a claim rule for each AD group. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.
-
To customize settings based on your requirements, it is recommended that you use the Send Claims using a Custom Rule option.
-
Make sure you set the outgoing claim type as DDAN_groups.
For more information, see https://success.trendmicro.com/solution/000258112.- Click Add Rule....The Add Transform Claim Rule Wizard screen appears.
- On the Choose Rule Type tab, select
Send Group Membership as a Claim from the
Claim rule template drop-down list, and click
Next.The Configure Claim Rule tab appears.
- For Claim rule name, type the name of the AD group.
- For User's group, click Browse and then select the AD group.
- For Outgoing claim type, type "DDAN_groups".
- For Outgoing claim value, type the name of the AD group.
- Click Apply and then click
OK.
Group membership rule
Claim Rule NameUser GroupOutgoing Claim TypeOutgoing Claim Value<user-defined rule name><user group name in AD FS>DDAN_groups<user group name in AD FS>
-
- Click Apply and then OK.