Configuring Active Directory Federation Services

This section describes how to configure a federation server using AD FS 3.0 to work with Cloud App Security.

A federation server is a computer that runs a specialized web service that can issue, manage, and validate requests for security tokens and identity management. Security tokens consist of a collection of identity claims, such as a user's name or role. The federation server can be configured only for Intranet access to prevent exposure to the Internet.

Note:

Cloud App Security supports connecting to the federation server using AD FS 2.0 and 3.0.

Active Directory Federation Services (AD FS) 3.0, often referred to as AD FS 2012 R2, provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS 3.0 supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

Before you begin configuring AD FS, make sure that:

  • You have a Windows Server installed with AD FS 3.0 to serve as a federation server.

  • You are logged on to the management console as a Cloud App Security global administrator. For details, see Administrator and Role.

  1. Go to Start > All Programs > Administrative Tools to open the AD FS management console.
  2. Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
  3. Complete settings on each tab of the Add Relying Party Trust Wizard screen.
    1. On the Welcome tab, click Start.
    2. On the Select Data Source tab, select Enter data about the relying party manually and click Next.
    3. On the Specify Display Name tab, specify a display name for Cloud App Security, for example, Trend Micro Cloud App Security, and click Next.
    4. On the Choose Profile tab, select AD FS profile and click Next.
    5. On the Configure Certificate tab, click Next.
      Note:

      No encryption certificate is required, and HTTPS will be used for communication between Cloud App Security and federation servers.

    6. On the Configure URL tab, select Enable support for the SAML 2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service URL, and then click Next.
      Note:

      The SAML 2.0 SSO service URL is Cloud App Security_admin_site/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the SAML 2.0 SSO service URL is https://admin-eu.tmcas.trendmicro.com/ssoLogin.

    7. On the Configure Identifiers tab, type the identifier for the relying party trust, click Add, and then click Next. This is also referred to as Application Identifier on the Cloud App Security management console.
    8. On the Configure Multi-factor Authentication Now? tab, leave Multifactor Authentication at default and click Next.
    9. On the Choose Issuance Authorization Rules tab, select Permit all users to access this relying party and click Next.
    10. On the Ready to Add Trust tab, click Next.
    11. On the Finish tab, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close.

      The Edit Claim Rules screen appears.

  4. On the Issuance Transform Rules tab, click Add Rule....
  5. Complete settings on each tab of the Add Transform Claim Rule Wizard screen.
    1. On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
    2. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
    3. Select the following LDAP attributes and specify an outgoing claim type for each attribute: select E-Mail-Addresses and select E-Mail Address from the Outgoing Claim Type drop-down list; select User-Principal-Name and select Name from the Outgoing Claim Type drop-down list.
    4. Click Finish.

      The transform claim rule you created earlier appears on the Issuance Transform Rules tab.

  6. Click Add Rule....
  7. Complete settings on each tab of the Add Transform Claim Rule Wizard screen.
    1. On the Choose Rule Type tab, select Transform an Incoming Claim from the Claim rule template drop-down list, and click Next.
    2. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select or type E-Mail Address for Incoming claim type, Name ID for Outgoing claim type, and Email for Outgoing name ID format.
    3. Select Pass through all claim values, and click Finish.

      The transform claim rule you created earlier appears on the Issuance Transform Rules tab.

  8. Click Apply and then OK.
  9. Collect the single sign-on URL and export a certificate for AD FS signature validation on the Cloud App Security management console.
    1. On the AD FS management console, go to AD FS > Service > Endpoints.
    2. Under the Endpoints area, locate the SAML 2.0/WS-Federation type and record URL /adfs/ls/.
    3. Go to AD FS > Service > Certificates.
    4. Locate the Token-signing certificate, right-click it, and then select View Certificate.
    5. On the Certificate screen that appears, click the Details tab and click Copy to File.
    6. On the Certificate Export Wizard screen that appears, select Base-64 Encoded X.509 (.Cer) and click Next.
    7. Specify a name of the file in the File name text box and click Next.
    8. Click Finish to complete exporting the certificate into a file.
  10. Configure the authentication methods.
    1. On the AD FS management console, go to AD FS > Authentication Policies.
    2. Under the Authentication Policies area, click Edit next to Global Settings under Primary Authentication.

      The Edit Global Authentication Policy screen appears.

    3. On the Primary tab, select Forms Authentication and Certificate Authentication in the Extranet area, and Forms Authentication and Windows Authentication in the Intranet area.
    4. Click OK.
Parent topic: Single Sign-On