Identity Cloud

Set up a federation provider

For the latest documentation for Microsoft Azure or Microsoft ADFS, please refer to Microsoft documentation.

Set up Microsoft ADFS as a federation identity provider

Prerequisites

Before setting up Microsoft ADFS as a federation identity provider, make sure the following requirements are met:

  1. Set up a self-hosted instance of Microsoft ADFS version 4.0, running on Windows Server 2016 or higher.

  2. Set up an Identity Cloud tenant: Getting started with ForgeRock Identity Cloud

  3. Assign administrators in Identity Cloud to the ADFS instance: Invite and view administrators

To use Microsoft ADFS as a federation identity provider, you need to create a Relying Party Trust. The trust is a set of identifiers, names, and rules that identify the partner or web-application to the federation Service.

Afterwards, you need to create an application group that uses single sign-on (SSO) to access systems that are outside the corporate firewall.

Create a Relying Party Trust

  1. Open the Server Manager console.

  2. In AD FS Management, select Tools > AD FS.

  3. On the AD FS dialog, in the left panel, click Relying Party Trusts.

  4. In the Actions pane, select Add Relying Party Trust.

  5. Complete the Add Relying Party Trust wizard as follows:

    1. On the Welcome page, select Claims aware.

    2. On the Select Data Source page, select Enter data about the relying party manually.

    3. On the Specify Display Name page, enter a display name.

    4. Step through the wizard until you reach the Configure Identifiers page.

    5. On the Configure Identifiers page, add your tenant URLs as relying party trust identifiers:

      • For a demo or sandbox environment: https://openam-your-env.forgeblocks.com/am.

      • For a customer environment: https://openam-your-env.id.forgerock.io/am.

    6. On the Choose Access Control Policy page, select the appropriate settings according to your corporate policy.

    7. Step through the wizard until you reach the Finish page and complete the wizard.

Create an Application Group

  1. In the AD FS editor, select Application Groups.

  2. In the Actions pane, select Add Application Group.

  3. Complete the Add Application Groups wizard as follows:

    1. On the Welcome page: provide a name and a description and select the Server application accessing a web API template.

    2. On the Server application page:

      • Accept the proposed Name.

      • Note the Client Identifier.

      • Add these tenant Redirect URIs, and click Next:

        • For a demo or sandbox environment: https://openam-your-env.forgeblocks.com/login/admin.

        • For a customer environment: https://openam-your-env.id.forgerock.io/login/admin.

    3. On the Configure Application Credentials page:

      • Select Generate a shared secret.

      • Use the Copy to clipboard button to copy the secret.

    4. Click Next.

    5. On the Configure Web API page, add the client identifier you noted earlier.

    6. Click Next.

    7. On the Choose Access Control Policy page, select the appropriate settings according to your corporate policy.

    8. Click Next.

    9. On the Configure Application Permissions page, check the following permitted scopes:

      • allatclaims

      • email

      • openid

      • profile

    10. Click Next.

    11. On the Summary page, review your selections.

    12. Click Next.

    13. On the Complete page, select Close.

Include additional identity claims in tokens

Perform the following steps to instruct Microsoft ADFS to include additional in the tokens that Identity Cloud requires.

  1. In the AD FS editor, select Application Groups.

  2. In the Actions pane, select Add Application Group.

  3. Double-click your application group.

  4. In the Applications section, in the Web API area, select your application, and click Edit.

  5. Click the Issuance Transform Rules tab.

  6. Click Add Rule.

  7. To include active directory attributes of the users that are accessing Identity Cloud, in the Claim rule template drop-down field, select Send LDAP Attributes as Claims.

  8. In the Claim rule name field, enter a name for the claim rule. For example, enter Profile Attributes.

  9. In the Attribute store drop-down field, select Active Directory.

  10. To map LDAP attributes to name spaces in Identity Cloud, in the Mapping of LDAP attributes to outgoing claim types section:

    1. In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select E-Mail Addresses.

    2. In the Outgoing Claim Type (Select or type to add more) column, enter mail.

    3. In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select Given-Name.

    4. In the Outgoing Claim Type (Select or type to add more) column, enter givenName.

    5. In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select Surname.

    6. In the Outgoing Claim Type (Select or type to add more) column, enter sn.

  11. Click Finish.

  12. On the Issuance Transform Rules tab, click Apply.

  13. Click OK.

  14. Click OK again.

Obtain the well-known endpoint for the ADFS Open ID Connect service

  1. In the AD FS editor, select Service > Endpoints.

  2. In the middle pane, scroll down to the OpenID Connect section.

  3. In the OpenID Connect section, note the URL path. The Well-Known end point URL is the host name of the machine running ADFS + the URL path you just noted.

Set up Microsoft Azure AD as a federation identity provider

Prerequisites

Before setting up Microsoft Azure AD as a federation identity provider, make sure the following requirements are met:

  1. Set up a self-hosted instance of Microsoft Azure AD.

  2. Set up an Identity Cloud tenant: Getting started with ForgeRock Identity Cloud

  3. Assign administrators in Identity Cloud to the ADFS instance: Invite and view administrators

Configure Microsoft Azure AD as a federation provider

  1. In a browser, navigate to the Microsoft Azure portal dashboard.

  2. On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.

  3. Click + New registration.

  4. On the Register an application page, enter the application Name.

  5. Select one or more Supported account types.

  6. In the Redirect URI (optional) section, in the drop-down list and select Web.

  7. Enter the Redirect URI (from the Redirect URL field on the Identity Cloud azure page).

  8. Click Register.

  9. Click Add a certificate or secret.

  10. Add a new client secret.

  11. Copy or make note of your application client ID and client secret.

  12. Save your changes.

  13. On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.

  14. Click Endpoints at the top of the page.

  15. Make note of your OpenID Connect metadata document endpoint, ensuring it contains your Azure tenant ID. For example: https://login.microsoftonline.com/XXXXXX/v2.0/.well-known/openid-configuration.

Copyright © 2010-2023 ForgeRock, all rights reserved.