Configuring Active Directory Federation Services
This section describes how to configure a federation server using Active Directory Federation Services (AD FS) to work with Deep Discovery Analyzer.
Deep Discovery Analyzer supports connecting to the federation server using AD FS 4.0 and 5.0.
Active Directory Federation Services (AD FS) provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
Before you begin configuring AD FS, make sure that:
-
You have a Windows Server installed with AD FS 4.0 or AD FS 5.0 to serve as a federation server.
-
You are logged on to the management console as a Deep Discovery Analyzer administrator.
-
You have obtained the metadata file from Deep Discovery Analyzer.
-
You have configured web browser settings on each endpoint to trust Deep Discovery Analyzer and the federation server.
For more information, see Configuring Endpoints for Single Sign-on through AD FS.
- Go to Start > All Programs > Administrative Tools to open the AD FS management console.
- Click AD FS in the left navigation, and under the Action area on the right, click Add Relying Party Trust....
-
Complete settings on each tab of the Add
Relying Party Trust Wizard screen.
- On the Welcome tab, select Claims aware and click Start.
- On the Select Data Source tab, select Import data about the relying party from a file, click Browse to select the metadata file you obtain from Deep Discovery Analyzer; then, click Next.
- On the Specify Display Name tab, specify a display name for Deep Discovery Analyzer, for example, "Deep Discovery Analyzer", and click Next.
- On the Choose Access Control Policy tab, select Permit everyone or Permit specific group. If you select Permit specific group, select one or more groups in Policy. Then, click Next.
- On the Ready to Add Trust tab, click Next.
-
On the Finish tab, select
Open the Edit Claim Rules dialog for this relying party
trust when the wizard closes and click
Close.
The Edit Claim Rules screen appears.
- On the Issuance Transform Rules tab, click Add Rule....
-
Complete settings on each tab of the Add Transform Claim
Rule Wizard screen.
- On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
- On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and select Active Directory from the Attribute store drop-down list.
- Select the User-Principal-Name LDAP attribute and specify Name ID as the outgoing claim type for the attribute.
- Click OK.
Table 1. LDAP attribute Claim Rule Name
LDAP Attribute
Outgoing Claim Type
<user-defined rule name>
User-Principal-Name
Name ID
-
Configure settings for each AD group that you permitted in step 3d and to which
you want to grant access to Deep Discovery Analyzer.
Note:
-
The following procedure shows you how to configure settings using the Send Group Membership as a claim rule for each AD group. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.
-
To customize settings based on your requirements, it is recommended that you use the Send Claims using a Custom Rule option.
-
Make sure you set the outgoing claim type as DDAN_groups.
For more information, see https://success.trendmicro.com/solution/000258112.
-
Click Add Rule....
The Add Transform Claim Rule Wizard screen appears.
-
On the Choose Rule Type tab, select
Send Group Membership as a Claim from the
Claim rule template drop-down list, and click
Next.
The Configure Claim Rule tab appears.
- For Claim rule name, type the name of the AD group.
- For User's group, click Browse and then select the AD group.
- For Outgoing claim type, type "DDAN_groups".
- For Outgoing claim value, type the name of the AD group.
-
Click Apply and then click
OK.
Table 2. Group membership rule Claim Rule Name
User Group
Outgoing Claim Type
Outgoing Claim Value
<user-defined rule name>
<user group name in AD FS>
DDAN_groups
<user group name in AD FS>
-
- Click Apply and then OK.
