This section describes how to configure a federation server using AD FS 3.0 to work with Cloud App Security.
A federation server is a computer that runs a specialized web service that can issue, manage, and validate requests for security tokens and identity management. Security tokens consist of a collection of identity claims, such as a user's name or role. The federation server can be configured only for Intranet access to prevent exposure to the Internet.
Cloud App Security supports connecting to the federation server using AD FS 2.0 and 3.0.
Active Directory Federation Services (AD FS) 3.0, often referred to as AD FS 2012 R2, provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS 3.0 supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
You have a Windows Server installed with AD FS 3.0 to serve as a federation server.
You are logged on to the management console as a Cloud App Security global administrator. For details, see Administrator and Role.
No encryption certificate is required, and HTTPS will be used for communication between Cloud App Security and federation servers.
The SAML 2.0 SSO service URL is Cloud App Security_admin_site/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the SAML 2.0 SSO service URL is https://admin-eu.tmcas.trendmicro.com/ssoLogin.
The Edit Claim Rules screen appears.
The transform claim rule you created earlier appears on the Issuance Transform Rules tab.
The transform claim rule you created earlier appears on the Issuance Transform Rules tab.
The Edit Global Authentication Policy screen appears.