Apoyo
 
Nosotros: + 1888 720 9500
Estados Unidos: +1888791 1189
Internacional: +1925924 9500
Aus: +1800 631268
Reino Unido: 0800 028 6590
CN: +86400660 8680

Marcación interna directa: +1 408 916 9892

 

Configuración del inicio de sesión único en ADAudit Plus mediante los servicios de federación de Active Directory (AD FS)

Paso 1: configurar ADAudit Plus en AD FS

Prerrequisitos

Para configurar AD FS para la verificación de identidad en ADAudit Plus, necesita:

  1. Para instalar el servidor de AD FS. Los pasos detallados para instalar y configurar AD FS se pueden encontrar en este artículo de Microsoft .
  2. Un certificado SSL para firmar su página de inicio de sesión de AD FS y la huella digital de ese certificado.
Pasos de configuración
Note: Only the Forms Authentication method is configured for users trying to access ADAudit Plus through AD FS authentication. You can view this setting in the AD FS console under Authentication Policies → Primary Authentication → Global Settings.
Claim rules and Relying Party Trust

During configuration, you will need to add a Relying Party Trust and create claim rules. A Relying Party Trust is created to establish the connection between two applications for authentication purposes by verifying claims.

In this case, AD FS will trust the relying party (ADAudit Plus) and authenticate users based on the claims generated. Claims are generated from claim rules by applying certain conditions on them. A claim is an attribute that is used for identifying an entity to establish access. For example, the Active Directory SAMAccountName.

  1. Open the AD FS Management console.
  2. The connection between AD FS and ADAudit Plus is created using a Relying Party Trust (RPT). Select the Relying Party Trusts folder.
  3. To enable NTLM-based single sign-on

  4. Click Actions > Add Relying Party Trust. When the Add Relying Party Trust Wizard opens, click Start.
  5. In the Select Data Source page, click on Enter Data About the Party Manually, and click Next.
  6. To enable NTLM-based single sign-on

  7. In the Specify Display Name page, enter a display name of your choice and add additional notes if required. Click Next.
  8. In the Choose Profile page, click AD FS profile. Click Next.
  9. In the Configure Certificate page, the default settings would have already been applied. Click Next.
  10. In the Configure URL page, check the box next to Enable Support for the SAML 2.0 WebSSO protocol. The relying party SAML 2.0 SSO service URL will be the ACS URL of ADAudit Plus.
  11. Note:

    There is no trailing slash at the end of the URL. For example:

    https://ADAuditPlus-server/samlLogin/955060d15d6bb8166c13b8b6e10144e5f755c953

    To get the ACS URL value, open the ADAudit Plus console, navigate to Admin → Administration → Logon Settings → Single Sign-On. Check the box next to Enable Single Sign-On, and select SAML Authentication → Identity Provider (IdP) → ADFS. You can find the ACS URL/Recipient URL value here.

  12. On the Configure Identifiers page, in the Relying party trust identifiers field, paste the Entity ID value.
  13. Note: To find the Entity ID value, log in to the ADAudit Plus console, navigate to Admin → Administration → Logon Settings → Single Sign-On. Check the box next to Enable Single Sign-On, and select SAML Authentication → Identity Provider (IdP) → ADFS. You can find the Entity ID value here.
  14. In the Configure Multi-factor Authentication Now? page, you can choose to configure multi-factor authentication settings for the relying party trust. Click Next.
  15. In the Choose Issuance Authorization Rules page, you can choose to Permit all users to access this relying party. Click Next.
  16. The next two pages will display an overview of the settings you have configured. In the Finish page, click Close to exit the wizard.
  17. Keep the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option selected to open the Claim Rules editor automatically.

    To enable NTLM-based single sign-on

  18. In Claim Rules Editor, under the Issuance Transform Rules tab, click Add Rule.
  19. From the Claim rule template drop-down, select Send LDAP Attributes as Claims, and click Next.
  20. To enable NTLM-based single sign-on

  21. In the Configure claim rule page, provide a Claim rule name, and select Active Directory from the Attribute store drop-down. In the LDAP Attribute column, select User-Principal-Name. In the Outgoing Claim Type column, select Name ID, and click Finish.
  22. To enable NTLM-based single sign-on

  23. You can now view the rule that has been created. Click OK.
  24. Next, download the metadata file by clicking on the Identity Provider metadata link. For example: https://<server_name>/FederationMetadata/2007-06/FederationMetadata.xml.
  25. Note: Replace <server_name> with the AD FS hostname

    Save this file, as you will need it while configuring SAML authentication in ADAudit Plus.

  26. Navigate back to Relaying Party Trusts, and find the rule you've created. Right-click on the rule, and click Properties. In the window that opens, click on Endpoints → Add SAML → OK.
  27. To enable NTLM-based single sign-on

  28. In the Trusted URL field, paste the SP Logout URL.
  29. Note: To get the SP Logout URL, open the ADAudit Plus console, navigate to Admin → Administration → Logon Settings → Single Sign-On. Check the box next to Enable Single Sign-On, and select SAML Authentication → Identity Provider (IdP) → ADFS. You can find the SP Logout URL value here. Click OK.
  30. Next, click on Signature, and upload the X.509 Certificate.
  31. Note: To get the X.509 Certificate, open the ADAudit Plus console, navigate to Admin → Administration → Logon Settings → Single Sign-On. Check the box next to Enable Single Sign-On, and select SAML Authentication → Identity Provider (IdP) → ADFS. You can find the X.509 Certificate here. Click OK.

Step 2: Configure AD FS in ADAudit Plus

Prerequisites

Enable RelayState in AD FS.

For Windows Server 2012

  • Navigate to the %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config file in your AD FS server.
  • In the <microsoft.identityServer.web> section, enter the following code: <useRelayStateForIdpInitiatedSignOn enabled="true" />
    Sample code:
    <microsoft.identityServer.web>
    …..
    <useRelayStateForIdpInitiatedSignOn enabled="true" />
    </microsoft.identityServer.web>
  • Restart the AD FS server.

For Windows Server 2016:

  • Open an elevated PowerShell Prompt (right-click PowerShell, and select Run as administrator) in your AD FS server.
  • Run the following command to enable IdP-initiated SSO: Set-ADFSProperties -EnableIdPInitiatedSignonPage $true
  • Run the following code to enable RelayState: Set-ADFSProperties -EnableRelayStateForIDPInitiatedSignon $true
  • Restart the AD FS server.

Log in to the ADAudit Plus web console with admin credentials, and navigate to Admin → Administration → Logon Settings → Single Sign-On. Check the box next to Enable Single Sign-On, and select SAML Authentication → Identity Provider (IdP) → ADFS. Click Browse, and upload the metadata file you downloaded from Step 1: 17. Click Save.

Accessing ADAudit Plus through AD FS

  1. To access ADAudit Plus, use the URL provided below: https:// <ADFSserver>/adfs/ls/idpinitiatedsignon.aspx
  2. Where ADFSserver is the server in which AD FS is deployed.
  3. In the AD FS web console, select ADAudit Plus from the list of applications.

ADAudit Plus cuenta con la confianza de