This section describes how to configure a federation server using Active
Directory Federation Services (AD FS) to work with Deep Discovery Director (Consolidated Mode).
 |
NoteDeep Discovery Director (Consolidated Mode)
supports connecting to the federation server using AD FS 4.0 and 5.0.
|
Active Directory Federation Services (AD FS) provides
support for claims-aware identity solutions that involve Windows Server and Active
Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security
Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
-
You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve as a federation server.
-
You are logged on to the management console as a Deep Discovery Director (Consolidated Mode) administrator.
-
You have obtained the metadata file from Deep Discovery Director (Consolidated Mode).
-
You have enabled Windows Integrated Authentication on the federation server.For details, see Enabling Windows Integrated Authentication on AD FS.
-
You have configured web browser settings on each endpoint to trust Deep Discovery Director (Consolidated Mode) and the federation server.For details, see Configuring Endpoints for Single Sign-on through AD FS.
Procedure
- Go to to open the AD FS management console.
- Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
- Complete settings on each tab of the Add
Relying Party Trust Wizard screen.
- On the Welcome tab, select Claims aware and click Start.
- On the Select Data Source tab, select Import data about the relying party from a file, click Browse to select the metadata file you obtain from Deep Discovery Director (Consolidated Mode); then, click Next.
- On the Specify Display Name tab, specify a display name for Deep Discovery Director (Consolidated Mode), for example, "Deep Discovery Director (Consolidated Mode)", and click Next.
- On the Choose Access Control Policy tab, select Permit everyone and click Next.
- On the Ready to Add Trust tab, click Next.
- On the Finish tab, select
Open the Edit Claim Rules dialog for this relying party
trust when the wizard closes and click
Close.The Edit Claim Rules screen appears.
- On the Issuance Transform Rules tab, click Add Rule....
- Complete the settings on each tab of the Add Transform
Claim Rule Wizard screen.
- On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
- On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
- Select the User-Principal-Name LDAP attribute and specify Name ID as the outgoing claim type for the attribute.
- Click OK.
- Click Add Rule....The Add Transform Claim Rule Wizard screen appears.
- Complete the settings on each tab of the Add Transform
Claim Rule Wizard screen.
- On the Choose Rule Type tab, select
Send Group Membership as a Claim from the
Claim rule template drop-down list, and click
Next.The Configure Claim Rule tab appears.
- For Claim rule name, type the name of the AD group.
- For User's group, click Browse and then select the AD group.
- For Outgoing claim type, type DDD_GROUP.
- For Outgoing claim value, type the name of the AD group.
- Click Apply and then click OK.
- On the Choose Rule Type tab, select
Send Group Membership as a Claim from the
Claim rule template drop-down list, and click
Next.
- Collect the single sign-on URL and export the Identity
Provider metadata for AD FS.
- On the AD FS management console, go to .
- In the right pane, under , in the Federation Metadata row, copy the URL path.
- Add the host name of the AD FS computer to the URL
path that you copied.For example, https://hostname/FederationMetadata/2007-06/FederationMetadata.xml
- To retrieve the Identity Provider metadata, use a web browser to navigate to the complete URL that you obtained in the previous step.
- Save the Identity Provider metadata file as an XML
file.
Note
Import this metadata file to Deep Discovery Director (Consolidated Mode).