Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5868: How to set up an ADFS trust relationship with Centrify

Centrify Identity Service, App Edition ,  

12 April,16 at 11:44 AM

Applies to: Centrify Identity Service version 15.10 and above

Question:

How to configure a trust relationship to establish the communication between an external service provider / host and the ADFS in the domain?


Answer:

To set up the ADFS trust relationship:
  1. Retrieve the Service Provider Metadata URL from the target service provider / host.
  2. Go to the ADFS server, open the Add Relying Party Trust Wizard and paste this URL into the Federation metadata address field on the Data Source section:
    • User-added image
  3. Click [ Next ] and accept all the default settings to finish out the wizard
    • (Optional) The Display Name for the relying party may be changed from the default.
  4. The Edit Claim Rules page will then open.
    • Click [ Add Rule ]  to open the Add Transform Claim Rule Wizard.
  5. Select Send LDAP Attributes as Claims from the Claim Rule Template dropdown and click [ Next ]
    • Enter a claim rule name and select Active Directory from the Attribute Store dropdown.
  6. Map the LDAP attributes to the outgoing claim types.
    • The user attributes provided here will be displayed in the Users account on the Centrify User Portal and Centrify Cloud Manager. 
    • Supported attributes:
      • UserPrincipalName *REQUIRED*
      • Description
      • CanonicalName
      • DisplayName
      • EmailAddress
      • HomeNumber
      • LoginName
      • MobileNumber
      • OfficeNumber
    • (Note that while the UserPrincipalName is required and must be unique per user, the rest of the attributes are optional)
    • To map the information:
      1. Select the LDAP attribute from the dropdown (or manually enter one if the target attribute is not listed).
      2. Select a corresponding Outgoing Claim Type from the dropdown (or enter one if not listed).
      3. Click [ OK ]
    • If the attribute is manually entered, the LDAP attribute name and attribute display name (which corresponds to Outgoing Claim Type) must be taken from the following list:
    • When entering LDAP attributes, make sure to use a hyphen between each word, for example: Home-Phone
  7. Click the [ Add Rule ] button again to create another claim rule:
    • This time select Send Group Membership as a Claim from the Claim Rule Template dropdown and click [ Next ]
    • Configure the claim rule as follows:
      1. Enter a claim rule name.
      2. Click [ Browse ] and select the target user group to be configured.
      3. Select Group in the Outgoing Claim Type dropdown.
      4. In the Outgoing Claim value textbox, enter the name of the ADFS group.
        • The counterpart in the federated tenant will need this group name to create the company’s profile.  
      5. Click [ Finish ] to complete the wizard.
  8. Repeat the above to add rules for all target ADFS groups.
  9. Change the Advanced properties of the newly created trust to use SHA-1:
    1. Right-click the newly created trust and select Properties.
    2. Click the Advanced tab.
    3. Select SHA-1 in the Secure hash algorithm dropdown.
    4. Click [ Apply ] then [ OK ]
  10. Verify that the newly created trust is now enabled.
    • User-added image




Establishing the service provider signing certificate
  • ADFS must also be configured to trust the service provider signing certificate:
  1. Retrieve the service provider certificate from the federated tenant and install it in the Trusted Root Store of the local computer.
  2. Open PowerShell as an Administrator and run the corresponding script appropriate to the ADFS version: 
    • For ADFS 2.0
      • add-pssnapin Microsoft.Adfs.PowerShell
      • Set-ADFSRelyingPartyTrust -SigningCertificateRevocationCheck "None" -TargetIdentifier "CN=Centrify Customer ABC123"
    • For ADFS 3.0
      • Set-ADFSRelyingPartyTrust -SigningCertificateRevocationCheck "None" -TargetIdentifier "CN=Centrify Customer ABC123"
  • Notes:
    • Replace "CN=Centrify Customer ABC123" with the actual TargetIdentifier value of the Centrify tenant.
    • The TargetIdentifier needs to be the same name as the relying party identifier.




Providing the Identity Provider metadata
  • The Identity Provider metadata must be sent to the to the service provider / host so they can create the company profile.
  • To get the Identity Provider metadata:
    1. On the ADFS server, open the Services directory and double-click Endpoints.
    2. Scroll to the Metadata section, and copy out the URL to pass to the service provider / host.




NameID Requirements
  • ADFS must support NameID Assertions of the SAML format "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
  • While these assertions are not strictly required for Federation to function, if ADFS is not configured to support them - ADFS federation will fail with an ADFS error.
 
  • To configure NameID assertions in ADFS, two custom rules must be configured.
  • Examples of these rules are shown below: 
*+Rule 1:+* 
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
 
*+Rule 2:+*
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.