Active Directory Federation Services Authentication

Active Directory Federation Services (AD FS) Authentication uses the Synchronization Agent and your AD FS server to synchronize and authenticate users. The Synchronization Agent provides the Active Directory synchronization. You can use this authentication method if you want a very secure solution and you have an AD FS server. The Active Directory account and password do not go through TMWS.

When there are multiple domains, they have the same authentication method, that is, Direct, AD FS, Agent, Okta, Azure AD, or Google. Each domain may have different settings under the same authentication method.

  1. Go to Administration > USERS & AUTHENTICATION > Directory Services.
  2. Click here on the upper area of the Directory Services screen.
  3. On the screen that appears, select AD FS and then click Save.

    If you have not installed the Synchronization Agent yet, click Download the Synchronization Agent and install it to your Intranet. For details, see Synchronization Agent Configuration.

  4. Click next to Disabled under AD Integration corresponding to the domain you want to configure.
  5. On the Edit AD Integration Settings screen that appears, configure the following parameters.

    Item

    Setting

    Domain name

    This field cannot be modified.

    Authentication method

    This field cannot be modified.

    Enable AD integration

    Click On or Off as necessary.

    Allow non-synchronized users

    Click On or Off to decide whether to allow the AD users of your organization to visit websites through TMWS if their data is not synchronized to TMWS.

    Note:

    This setting takes effect only when User authentication is set to Transparent authentication on an TMWS gateway.

    Last synchronized

    Date and time when the last synchronization of Active Directory users and groups occurred.

  6. Configure the AD FS Identity Provider Settings section.

    Item

    Setting

    AD FS service URL

    Type the URL, which you can obtain from the XML metadata of the AD FS Identity Provider.

    For example: https://<adfs_domain_name>/adfs/ls/

    Logon name attribute

    Type the attribute used by TMWS to format Active Directory users based on the format, userid@domain.

    userid is synchronized from the Active Directory, using the User Name Attribute specified in the Active Directory synchronization settings. The Logon name attribute should be the same value as the User Name Attribute of Active Directory synchronization setting, which is the default value of sAMAccountName.

    Public SSL certificate

    Click Select, locate the public certificate of the AD FS Identity Provider that is used to verify a digital signature, and click Upload.

  7. Configure the AD FS Service Provider Settings section.

    Item

    Setting

    Require signed SAML request

    Turn on if the AD FS Service Provider expects the SAML request to be signed.

    Service Provider information

    Click the links to view data from the Service Provider.

    The Service Provider Metadata is used when configuring the AD FS server.

    AD FS configuration script

    Click the link to download an automatic AD FS configuration package.

    To simplify AD FS configuration, TMWS provides a PowerShell script to automatically configure your AD FS server to work with TMWS. For details, see Automatic AD FS Configuration.

  8. Click Save.