Skip to main content

Connect ADFS

Before you start​

  1. The "Active Directory Federation Services" must be installed.

  2. The status of the "AD FS" under Roles and Server Groups must be error-free.

Start AD FS Configuration​

Must-have configuration​

  1. Service -> Attribute store: Active Directory

  2. Authentication methods: no default, minimum one available

  3. Regular endpoints for OAuth and OIDC must be available:

  • OpenID Connect-Determination

  • OpenID Connect-JWKS

  • OAuth

Windows Server (AD FS) Configuration​

Registering a new client configuration​

  1. In the "AD FS Administration"

  2. Click on the Application Groups area. From the menu, select Actions -> Add Application Group.

Add Application Group

  1. Assign a name and optionally a description.

  2. Select Webbrowser with access to a web application as the template.

Application Group Assistent

  1. Now click Next.

  2. Make a note of the Client Identifier automatically generated by the system.

  3. Enter the Redirect URI of your Qiata (https://QIATAFQDN/v2/login). If necessary, you should also configure the IP address here (https://IP/v2/login)

Application Group configuration

  1. Now click Add.

  2. Now click Next.

  3. Now select the desired Access Control Policies. In our example we will use the policy Grant access to everyone.

  4. Now click Next and finish the creation

Edit web application​

  1. Open again your newly created Application group.

  2. Now click NAME - WebApplication and select Edit...

Edit Web Application

  1. Switch to the Exhibition transformation rules tab and click Add rule.

Add Transformrule

  1. Select as Claim rule template the type Send LDAP Attributes as Claims.

  2. Now click Next

Setup Transportrule

  1. Choose a name for the Claim rule.

  2. Select as Attribute store the type Active Directory.

  3. Add an LDAP attribute E-Mail-Addresses with a corresponding outgoing claim type E-Mail-Adresse.

  4. Add an LDAP attribute Is-Member-Of-DL with a corresponding outgoing claim type Gruppe.

info

If you want to use another claim as Group Claim, you have to define it here as transport rule. Values like physicalDeliveryOfficeName (Office) would also be possible, for example.

  1. Finally click Complete and then Apply.

Add CORS header​

Web browser security prevents a web page from making cross-origin requests from scripts. With CORS, a server can explicitly allow some cross-origin requests while denying others.

By default, CORS functionality is not enabled. Administrators can enable the functionality using the Set-AdfsResponseHeaders cmdlet.

To do this, open Powershell and enter the following command

Set-AdfsResponseHeaders -EnableCORS $true

An administrator can use the same cmdlet to list trusted origins. Use the following command to add the FQDN and IP address of your Qiata.

Set-AdfsResponseHeaders -CORSTrustedOrigins https://demo.secudos.com, https://192.168.2.1

Qiata Configuration​

New OIDC Provider

Log in to the system as Company Administrator and navigate to the item Company -> OpenID Connect. Now fill in the form.

  1. Open ID Connect Provider

Choose between the provider types AzureAD and AD FS. For our example, select the AD FS type.

  1. Login Button Name

Choose a name for the login button that will be displayed to users on the login page, or in the SDC.

note

Please note that the name must not contain spaces and a maximum of 20 characters.

  1. Metadata document URI.

Enter the URI for the Metadata document here. In our example this would be https://s1.secudos.com/adfs/.well-known/openid-configuration.

  1. ClientID

Specify the ClientID here. This was generated by the server during the creation of the client configuration.

  1. Group Claim

The Group Claim field can contain the claim you defined to identify users so they can be assigned to an appropriate group. The Group Claim links the provider to the groups. In our example we have chosen the claim group.

tip

The value of the claim (e.g. the group: CN=Technik,CN=Users,DC=secudos,DC=com) is required for authentication and assignment to a group. The value of the claim is defined in the particular group into which the user is to be created, or under whose policies the user is to act. Please note that this claim is only available if you have also defined the corresponding exhibition transformation rule in the server.

  1. Scopes

The scopes for the respective provider are created automatically by the system. No input is necessary here.

  1. Convert Existing Accounts

If there are already user accounts (LOCAL or LDAP), they can be converted to OIDC accounts using the Convert Existing Accounts function.

caution

Converting users detaches them from their old login procedures. For example, if a user is converted from LOCAL to OIDC, they will no longer be able to authenticate via the local route.

  1. Enforce login provider

If you want to force a specific login type, select the desired value here. If No is selected, the user can choose the login type himself. If one of the other fields is selected, the respective login type will be forced.

warning

This setting only belongs to Users using the Secure Desktop Client (SDC).

Assign a group​

Add new group with claim

After the provider has been registered, the Group Claim value must be added to one or more groups. This is mandatory for the registration.

To do this, create a new group via System -> New Group. Choose a Group Name and activate the OIDC Authentication. After activation a new field appears for the input of the Group Claim. Now please insert here the value that was communicated via the provider. Our example is based on the group name, in this example CN=Technik,CN=Users,DC=secudos,DC=com. When choosing the Group Claim Group, the Group Claim must always be specified as DN (Distinguished Name).

info

Any user who now arrives at Qiata correctly authenticated with the Group Claim "CN=Technik,CN=Users,DC=secudos,DC=com" will automatically be set up in the new group and thus subject to the group's policies.

Finally, click Save to save the group.

caution

Please note that the LDAP Authentication and Automaticall Sign-Up Users functions are not compatible with OIDC Authentication.

How to get the Distinguished Name (DN)​

Advanced Features

First, enable Advanced Features in the Active Directory Users and Computers settings. To do this, navigate to View and then activate Advanced Features.

Distinguished Name Group

Now change the properties of the group (via double click) and switch to the tab Attribute Editor. Look there for the attribute distinguishedName. The Value (here in the example CN=QiataGroup,DC=secudos,DC=com) is the object you can use as group claim.