This section describes how to configure a federation server using Active Directory Federation Services (AD FS) to work with Deep Discovery Email Inspector.
Deep Discovery Email Inspector supports connecting to the federation server using AD FS 4.0 and 5.0.
Active Directory Federation Services (AD FS) provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
-
You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve as a federation server.
-
You are logged on to the management console as a Deep Discovery Email Inspector administrator.
-
You have obtained the metadata file from Deep Discovery Email Inspector.
- Go to Start > All Programs > Administrative Tools to open the AD FS management console.
- Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
-
Complete settings on each tab of the Add
Relying Party Trust Wizard screen.
- On the Welcome tab, select Claims aware and click Start.
- On the Select Data Source tab, select Import data about the relying party from a file, click Browse to select the metadata file you obtain from Deep Discovery Email Inspector; then, click Next.
- On the Specify Display Name tab, specify a display name for Deep Discovery Email Inspector, for example, "Deep Discovery Email Inspector", and click Next.
- On the Choose Access Control Policy tab, select Permit everyone or Permit specific group. If you select Permit specific group, select one or more groups in Policy. Then, click Next.
- On the Ready to Add Trust tab, click Next.
-
On the Finish tab, select
Open the Edit Claim Rules dialog for this relying party
trust when the wizard closes and click
Close.
The Edit Claim Rules screen appears.
- On the Issuance Transform Rules tab, click Add Rule....
-
Complete settings on each tab of the Add Transform Claim
Rule Wizard screen to configure the claim rules for the LDAP
attributes listed in the following table.
- On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
- On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
- Select the User-Principal-Name LDAP attribute and specify Name ID as the outgoing claim type for the attribute.
- Click OK.
Table 1. LDAP attributes Web Console
LDAP Attribute
Outgoing Claim Type
Required
Management
User-Principal-Name
Name ID
Yes
EUQ
User-Principal-Name
Name ID
Yes
EUQ
E-Mail-Addresses
<user-defined value>
For example, EUQ_Email.
No
EUQ
Proxy-Addresses
<user-defined value>
For example, EUQ_PROXY_Email.
No
-
Configure settings for each AD group that you permitted in step 3d and
customize the settings based on your requirements.
Note:
Make sure you set the outgoing claim type as DDEI_GROUP.
-
Click Add Rule....
The Add Transform Claim Rule Wizard screen appears.
-
On the Choose Rule Type tab, select
Send Group Membership as a Claim from the
Claim rule template drop-down list, and click
Next.
The Configure Claim Rule tab appears.
- For Claim rule name, type the name of the AD group.
- For User's group, click Browse and then select the AD group.
- For Outgoing claim type, type "DDEI_GROUP".
- For Outgoing claim value, type the name of the AD group.
-
Click Apply and then click
OK.
Table 2. Group membership rules Claim Rule Name
User Group
Outgoing Claim Type
Outgoing Claim Value
<user-defined rule name>
<user group name in ADFS>
DDEI_GROUP
<user-defined value>
Note:This value must be the same as the SAML group name you configure on Deep Discovery Email Inspector.
-
Click Add Rule....
- Click Apply and then OK.