Views:
This section describes how to configure a federation server using Active Directory Federation Services (AD FS) to work with Deep Discovery Analyzer.
Note
Note
Deep Discovery Analyzer supports connecting to the federation server using AD FS 4.0 and 5.0.
Active Directory Federation Services (AD FS) provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
  • You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve as a federation server.
  • You are logged on to the management console as a Deep Discovery Analyzer administrator.
  • You have obtained the metadata file from Deep Discovery Analyzer.
  • You have configured web browser settings on each endpoint to trust Deep Discovery Analyzer and the federation server.

Procedure

  1. Go to StartAll ProgramsAdministrative Tools to open the AD FS management console.
  2. Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
  3. Complete settings on each tab of the Add Relying Party Trust Wizard screen.
    1. On the Welcome tab, select Claims aware and click Start.
    2. On the Select Data Source tab, select Import data about the relying party from a file, click Browse to select the metadata file you obtain from Deep Discovery Analyzer; then, click Next.
    3. On the Specify Display Name tab, specify a display name for Deep Discovery Analyzer, for example, "Deep Discovery Analyzer", and click Next.
    4. On the Choose Access Control Policy tab, select Permit everyone or Permit specific group. If you select Permit specific group, select one or more groups in Policy. Then, click Next.
    5. On the Ready to Add Trust tab, click Next.
    6. On the Finish tab, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close.
      The Edit Claim Rules screen appears.
  4. On the Issuance Transform Rules tab, click Add Rule....
  5. Complete settings on each tab of the Add Transform Claim Rule Wizard screen.
    1. On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
    2. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
    3. Select the User-Principal-Name LDAP attribute and specify Name ID as the outgoing claim type for the attribute.
    4. Click OK.

    LDAP attribute

    Claim Rule Name
    LDAP Attribute
    Outgoing Claim Type
    <user-defined rule name>
    User-Principal-Name
    Name ID
  6. Configure settings for each AD group that you permitted in step 3d and to which you want to grant access to Deep Discovery Analyzer.
    Note
    Note
    • The following procedure shows you how to configure settings using the Send Group Membership as a claim rule for each AD group. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.
    • To customize settings based on your requirements, it is recommended that you use the Send Claims using a Custom Rule option.
    • Make sure you set the outgoing claim type as DDAN_groups.
    1. Click Add Rule....
      The Add Transform Claim Rule Wizard screen appears.
    2. On the Choose Rule Type tab, select Send Group Membership as a Claim from the Claim rule template drop-down list, and click Next.
      The Configure Claim Rule tab appears.
    3. For Claim rule name, type the name of the AD group.
    4. For User's group, click Browse and then select the AD group.
    5. For Outgoing claim type, type "DDAN_groups".
    6. For Outgoing claim value, type the name of the AD group.
    7. Click Apply and then click OK.

      Group membership rule

      Claim Rule Name
      User Group
      Outgoing Claim Type
      Outgoing Claim Value
      <user-defined rule name>
      <user group name in AD FS>
      DDAN_groups
      <user group name in AD FS>
  7. Click Apply and then OK.