ADFS

Connect using ADFS

This guide assumes that you already have an ADFS server configured (including a valid SSL certificate) and that it already serves one or more relying party trusts (such as web applications that need identity services).

  • First check that the server is properly configured for SAML metadata exchange by checking the Federation metadata endpoint. As described in that document, the metadata URL is https://your-org-name.com/FederationMetadata/2007-06/FederationMetadata.xml (replace <your-org-name.com> with the name of your ADFS server instance).

  • Use the metadata file from the step above, exactly as described in the generic flow for using SAML 2.0, to connect to the Connectis Identity Broker. Please note that Artifact binding might be hard to configure or have certain limitations. Resources like this one might be useful if you need to configure Artifact binding. If you change the endpoint configuration, you will need to retrieve the updated metadata.

  • Once the ADFS metadata is sent to technicalsupport@connectis.com and the Connectis Identity Broker metadata is received from support, create a new Claims Provider Trust to model the connection to the Connectis Identity Broker.

  • At this point, relying party trusts should already be able to authenticate using the Connectis Identity Broker. However, depending on your configuration, it is likely that not all of the attributes are returned in the authentication response, as ADFS might not be configured to include the claims or the subject in the response. In order for this to happen, you should create a rule for the new claims provider trust so that the desired claims are passed through. Afterwards you need to create a similar rule for the relying party trust so that the claims are also passed through via that connection.

  • Test the new connection. Contact technicalsupport@connectis.com if you need to troubleshoot your connection. You can find the ADFS events and errors in Event Viewer, under Applications / ADFS.

Please note that advanced users might find it more convenient and powerful (i.e. there are more configuration options available) to use PowerShell for configuring ADFS.