Set up a federation provider
For the latest documentation for Microsoft Azure or Microsoft ADFS, please refer to Microsoft documentation. |
Set up Microsoft ADFS as a federation identity provider
Prerequisites
Before setting up Microsoft ADFS as a federation identity provider, make sure the following requirements are met:
-
Set up a self-hosted instance of Microsoft ADFS version 4.0, running on Windows Server 2016 or higher.
-
Set up an Identity Cloud tenant: Getting started with ForgeRock Identity Cloud
-
Assign administrators in Identity Cloud to the ADFS instance: Invite and view administrators
To use Microsoft ADFS as a federation identity provider, you need to create a Relying Party Trust. The trust is a set of identifiers, names, and rules that identify the partner or web-application to the federation Service.
Afterwards, you need to create an application group that uses single sign-on (SSO) to access systems that are outside the corporate firewall.
Create a Relying Party Trust
-
Open the Server Manager console.
-
In AD FS Management, select Tools > AD FS.
-
On the AD FS dialog, in the left panel, click Relying Party Trusts.
-
In the Actions pane, select Add Relying Party Trust.
-
Complete the Add Relying Party Trust wizard as follows:
-
On the Welcome page, select Claims aware.
-
On the Select Data Source page, select Enter data about the relying party manually.
-
On the Specify Display Name page, enter a display name.
-
Step through the wizard until you reach the Configure Identifiers page.
-
On the Configure Identifiers page, add your tenant URLs as relying party trust identifiers:
-
For a demo or sandbox environment: https://openam-your-env.forgeblocks.com/am.
-
For a customer environment: https://openam-your-env.id.forgerock.io/am.
-
-
On the Choose Access Control Policy page, select the appropriate settings according to your corporate policy.
-
Step through the wizard until you reach the Finish page and complete the wizard.
-
Create an Application Group
-
In the AD FS editor, select Application Groups.
-
In the Actions pane, select Add Application Group.
-
Complete the
Add Application Groups
wizard as follows:-
On the Welcome page: provide a name and a description and select the Server application accessing a web API template.
-
On the Server application page:
-
Accept the proposed
Name
. -
Note the
Client Identifier
. -
Add these tenant Redirect URIs, and click Next:
-
For a demo or sandbox environment: https://openam-your-env.forgeblocks.com/login/admin.
-
For a customer environment: https://openam-your-env.id.forgerock.io/login/admin.
-
-
-
On the Configure Application Credentials page:
-
Select Generate a shared secret.
-
Use the Copy to clipboard button to copy the secret.
-
-
Click Next.
-
On the Configure Web API page, add the
client identifier
you noted earlier. -
Click Next.
-
On the Choose Access Control Policy page, select the appropriate settings according to your corporate policy.
-
Click Next.
-
On the Configure Application Permissions page, check the following permitted scopes:
-
allatclaims
-
email
-
openid
-
profile
-
-
Click Next.
-
On the Summary page, review your selections.
-
Click Next.
-
On the Complete page, select Close.
-
Include additional identity claims in tokens
Perform the following steps to instruct Microsoft ADFS to include additional in the tokens that Identity Cloud requires.
-
In the AD FS editor, select Application Groups.
-
In the Actions pane, select Add Application Group.
-
Double-click your application group.
-
In the Applications section, in the Web API area, select your application, and click Edit.
-
Click the Issuance Transform Rules tab.
-
Click Add Rule.
-
To include active directory attributes of the users that are accessing Identity Cloud, in the Claim rule template drop-down field, select Send LDAP Attributes as Claims.
-
In the Claim rule name field, enter a name for the claim rule. For example, enter Profile Attributes.
-
In the Attribute store drop-down field, select Active Directory.
-
To map LDAP attributes to name spaces in Identity Cloud, in the Mapping of LDAP attributes to outgoing claim types section:
-
In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select E-Mail Addresses.
-
In the Outgoing Claim Type (Select or type to add more) column, enter mail.
-
In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select Given-Name.
-
In the Outgoing Claim Type (Select or type to add more) column, enter givenName.
-
In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select Surname.
-
In the Outgoing Claim Type (Select or type to add more) column, enter sn.
-
-
Click Finish.
-
On the Issuance Transform Rules tab, click Apply.
-
Click OK.
-
Click OK again.
Obtain the well-known endpoint for the ADFS Open ID Connect service
-
In the AD FS editor, select Service > Endpoints.
-
In the middle pane, scroll down to the OpenID Connect section.
-
In the OpenID Connect section, note the URL path. The Well-Known end point URL is the host name of the machine running ADFS + the URL path you just noted.
Set up Microsoft Azure AD as a federation identity provider
Prerequisites
Before setting up Microsoft Azure AD as a federation identity provider, make sure the following requirements are met:
-
Set up a self-hosted instance of Microsoft Azure AD.
-
Set up an Identity Cloud tenant: Getting started with ForgeRock Identity Cloud
-
Assign administrators in Identity Cloud to the ADFS instance: Invite and view administrators
Configure Microsoft Azure AD as a federation provider
-
In a browser, navigate to the Microsoft Azure portal dashboard.
-
On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.
-
Click + New registration.
-
On the Register an application page, enter the application Name.
-
Select one or more Supported account types.
-
In the Redirect URI (optional) section, in the drop-down list and select Web.
-
Enter the Redirect URI (from the Redirect URL field on the Identity Cloud azure page).
-
Click Register.
-
Click Add a certificate or secret.
-
Add a new client secret.
-
Copy or make note of your application client ID and client secret.
-
Save your changes.
-
On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.
-
Click Endpoints at the top of the page.
-
Make note of your OpenID Connect metadata document endpoint, ensuring it contains your Azure tenant ID. For example: https://login.microsoftonline.com/XXXXXX/v2.0/.well-known/openid-configuration.