Views:
Active Directory Federation Services (AD FS) Authentication uses the Synchronization Agent and your AD FS server to synchronize and authenticate users. The Synchronization Agent provides the Active Directory synchronization. You can use this authentication method if you want a very secure solution and you have an AD FS server. The Active Directory account and password do not go through TMWS.
When there are multiple domains, they have the same authentication method, that is, Direct, AD FS, Agent, Okta, Azure AD, or Google. Each domain may have different settings under the same authentication method.

Procedure

  1. Go to AdministrationUSERS & AUTHENTICATIONDirectory Services.
  2. Click here on the upper area of the Directory Services screen.
  3. On the screen that appears, select AD FS and then click Save.
    If you have not installed the Synchronization Agent yet, click Download the Synchronization Agent and install it to your Intranet. For details, see Synchronization Agent Configuration.
  4. Click verifyownership.bmp next to Disabled under AD Integration corresponding to the domain you want to configure.
  5. On the Edit AD Integration Settings screen that appears, configure the following parameters.
    Item
    Setting
    Domain name
    This field cannot be modified.
    Authentication method
    This field cannot be modified.
    Enable AD integration
    Click On or Off as necessary.
    Allow non-synchronized users
    Click On or Off to decide whether to allow the AD users of your organization to visit websites through TMWS if their data is not synchronized to TMWS.
    Note
    Note
    This setting takes effect only when User authentication is set to Transparent authentication on an TMWS gateway.
    Last synchronized
    Date and time when the last synchronization of Active Directory users and groups occurred.
  6. Configure the AD FS Identity Provider Settings section.
    Item
    Setting
    AD FS service URL
    Type the URL, which you can obtain from the XML metadata of the AD FS Identity Provider.
    For example: https://<adfs_domain_name>/adfs/ls/
    Logon name attribute
    Type the attribute used by TMWS to format Active Directory users based on the format, userid@domain.
    userid is synchronized from the Active Directory, using the User Name Attribute specified in the Active Directory synchronization settings. The Logon name attribute should be the same value as the User Name Attribute of Active Directory synchronization setting, which is the default value of sAMAccountName.
    Public SSL certificate
    Click Select, locate the public certificate of the AD FS Identity Provider that is used to verify a digital signature, and click Upload.
  7. Configure the AD FS Service Provider Settings section.
    Item
    Setting
    Require signed SAML request
    Turn on if the AD FS Service Provider expects the SAML request to be signed.
    Service Provider information
    Click the links to view data from the Service Provider.
    The Service Provider Metadata is used when configuring the AD FS server.
    AD FS configuration script
    Click the link to download an automatic AD FS configuration package.
    To simplify AD FS configuration, TMWS provides a PowerShell script to automatically configure your AD FS server to work with TMWS. For details, see Automatic AD FS Configuration.
  8. Click Save.
Related information