Federation Services (AD FS) Symantec VIP Integration Guide ...

Symantec VIP Integration Guide for Microsoft Active DirectoryFederation Services (AD FS)

Symantec VIP Integration Guide for Microsoft Active Directory Federation Services (AD

FS)

Table of Contents

About integrating Active Directory Federation Services (AD FS) with Symantec VIP.................. 5VIP features checklist...................................................................................................................................................... 5Partner product requirements........................................................................................................................................ 6

AD FS version support............................................................................................................................................... 6Operating system requirements..................................................................................................................................6

Application support..........................................................................................................................................................6Desktop application support........................................................................................................................................6Mobile application support.......................................................................................................................................... 7Office 365 thick client support.................................................................................................................................... 8

Installing and configuring the VIP integration module for AD FS.................................................. 9Prerequisites..................................................................................................................................................................... 9Installing the VIP integration module for AD FS.......................................................................................................... 9Configuring the VIP Authentication Service............................................................................................................... 10(Optional) Additional configuration changes in AD FS if you select email as the VIP User ID attribute...............12

Configuring AD FS.............................................................................................................................14Overview of configuring AD FS for Windows Server 2012....................................................................................... 14

Enabling multi-factor authentication..........................................................................................................................14Configuring AD FS Relying Party Trust....................................................................................................................15

Overview of configuring AD FS for Windows Server 2016 and AD FS for Windows Server 2019......................... 15Enabling multi-factor authentication..........................................................................................................................15Protecting AD FS Relying Party Trust......................................................................................................................16

Testing multi-factor authentication with VIP authentication provider......................................................................16Types of AD FS deployments....................................................................................................................................... 16

AD FS farm deployment........................................................................................................................................... 16AD FS proxy deployment..........................................................................................................................................17

Upgrading the VIP integration module........................................................................................................................ 17Configuring VIP JavaScript Integration for AD FS.........................................................................18

Supported features.........................................................................................................................................................18Prerequisites for JavaScript integration with Windows Server 2019....................................................................... 18JavaScript integration for VIP Access Push...............................................................................................................18

Generating JavaScript integration code from VIP Manager.....................................................................................19Sample VIP integration code.............................................................................................................................20

Configuring the VIP integration settings for JavaScript integration.......................................................................... 22Testing JavaScript integration for VIP Access Push................................................................................................ 22Testing the JavaScript integration using a security code......................................................................................... 24

JavaScript integration for additional features............................................................................................................ 25

2


FS)

Configuring VIP SSP IdP for AD FS........................................................................................................................ 26Configuring the JavaScript integration with the VIP components............................................................................ 26

Generating JavaScript integration code from VIP Manager..............................................................................27Configuring the VIP integration settings for JavaScript integration...................................................................28

Installing and configuring the Automatic Business Continuity Service for the VIPintegration module............................................................................................................................. 29Configuring Microsoft Office 365..................................................................................................... 31

Prerequisites................................................................................................................................................................... 31Adding a domain to Microsoft Office 365................................................................................................................... 31Converting an Office 365 domain to a federated domain......................................................................................... 32Configuring Microsoft Office 2013 clients with AD FS for Windows Server 2012.................................................. 32

Integrating Office 2013 clients with AD FS for Windows Server 2012.....................................................................32Enabling and disabling modern authentication for clients........................................................................................ 33

Testing the configuration.............................................................................................................................................. 33Signing into Outlook 2013........................................................................................................................................ 34Signing in to Skype for Business 2013.................................................................................................................... 34

Configuring Microsoft Exchange Server 2013 and 2016............................................................... 35Prerequisites................................................................................................................................................................... 35Creating a Relying Party Trust for Outlook Web App and EAC................................................................................36Configuring claim rules in AD FS................................................................................................................................ 36Configuring Exchange 2013 or 2016 for AD FS authentication................................................................................ 37Enabling AD FS authentication on the OWA and ECP virtual directories............................................................... 37Testing the configuration.............................................................................................................................................. 37

Configuring Microsoft SharePoint Server 2013 web application..................................................38Prerequisites................................................................................................................................................................... 38Creating a Relying Party Trust for the SharePoint Server 2013 web application....................................................39Configuring claim rules in AD FS................................................................................................................................ 40Configuring SharePoint 2013 for AD FS authentication............................................................................................40Associating an existing web application with AD FS authentication.......................................................................42Configuring permissions to access the web application.......................................................................................... 42Testing the configuration.............................................................................................................................................. 43

Publishing a Remote Desktop Gateway through Web Application Proxy................................... 44Prerequisites................................................................................................................................................................... 44Creating a Relying Party Trust in AD FS.................................................................................................................... 44Publishing the RD Gateway behind the Web Application Proxy.............................................................................. 45Modifying the Remote Desktop Service collections.................................................................................................. 46Setting group policies on Active Directory Domain Services...................................................................................47Testing the configuration.............................................................................................................................................. 48

Publishing the VIP SSP IdP proxy URL with WAP.........................................................................49

3


FS)

Uninstalling the VIP integration module for AD FS....................................................................... 50Uninstalling multi-factor authentication for AD FS for Windows Server 2012........................................................ 50Uninstalling multi-factor authentication for AD FS for Windows Server 2016 and AD FS for Windows Server2019.................................................................................................................................................................................. 51Uninstalling the Health Check Service (Automatic Business Continuity)............................................................... 51

Troubleshooting..................................................................................................................................52Copyright Statement.......................................................................................................................... 54

4


FS)

About integrating Active Directory Federation Services (AD FS)with Symantec VIP

The enterprise workplaces are embracing web-based applications like never before. Demand to support a single sign-onexperience is increasing across applications. Most of the web-based applications adhere to the single sign-on standards.After users log on to their enterprise application using their credentials, they are signed into other enterprise applicationsseamlessly. They can move between services securely without specifying their credentials.

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange userauthentication and authorization data. For example, consider a Service Provider (SP) who has a web applicationand Colossal Corporation has an Identity Provider (IdP), Active Directory Federation Services (AD FS). ColossalCorporation has a database of people who need to access the SP’s web application. If John Smith from ColossalCorporation wants to connect to the SP’s web application, then the SP must trust John Smith coming from ColossalCorporation. The trust has to be established between AD FS and the SP.

The web application verifies if the user is already authenticated. If John Smith is authenticated, the browser allowsthe user to access the web application. If John Smith is not authenticated, the browser redirects to Colossal's IdP toauthenticate John Smith against Colossal's database of users. The browser comes back to the SP’s web application andprovides the signed assertion from Colossal’s IdP which the SP can trust.

SAML enables web-based authentication and authorization scenarios including cross-domain Single Sign-On (SSO),which reduces the administrative overhead of distributing multiple authentication tokens to the user. The user can use thissigned assertion for other applications that use the SAML request.

To achieve this benefit, the enterprise must:

• Integrate third-party web applications (as the Service Provider) through AD FS (as the Identity Provider).• Configure AD FS.• Configure the third party to use VIP as multi-factor authentication including JavaScript integration for VIP Access Push,

Intelligent Authentication, Device Fingerprint, Registered Computer, Voice, and SMS.

VIP features checklistVIP support features lists the VIP Enterprise Gateway features that are supported with AD FS.

Table 1: VIP support features

VIP Feature Support

First-factor authenticationAD/LDAP password through VIP Enterprise Gateway NoVIP PIN NoSecond-factor authenticationVIP Push YesSMS YesVoice YesSelective strong authenticationTarget resource-based YesEnd user-based Yes

5


FS)

VIP Feature Support

Risk-based YesGeneral authenticationMulti-domain YesAnonymous user name YesLegacy authentication provider integration (delegation) NoAD password reset NoThird-party ID Provider (IdP) YesIntegration MethodVIP JavaScript YesVIP Login NoSOAP Web Service APIs YesRADIUS NoAutomatic Business Continuity Yes

Partner product requirementsThis section describes operating system and software requirements for integrating Symantec VIP Enterprise Gateway withAD FS.

AD FS version supportThe following AD FS versions are supported:

• AD FS for Windows Server 2012 (AD FS 3.0)• AD FS for Windows Server 2016 (AD FS 4.0)• AD FS for Windows Server 2019 (AD FS 5.0)

Operating system requirementsThe following operating systems are supported:

• Windows Server 2012 R2 (x64)• Windows Server 2016 (x64)• Windows Server 2019

Application supportThis section lists the applications and the features that are supported for desktop, mobile, and Office 365 thick clients.

Desktop application supportDesktop application support lists the supported desktop applications for different features.

6


FS)

Table 2: Desktop application support

Application Feature Support

Security code YesVIP Access Pusha Yes

Microsoft Office 365See Overview of configuring Microsoft Office 365.

Additional Authentication Featuresb YesSecurity code YesVIP Access Pusha Yes

YammerSee Overview of configuring Microsoft Office 365.


Microsoft Exchange Server 2013 and 2016See Overview of configuring Microsoft ExchangeServer 2013 and 2016.


Microsoft SharePoint Server 2013 web applicationSee Overview of configuring Microsoft SharePointServer 2013 web application.


Remote Desktop GatewaySee Remote Desktop Gateway Configuration Tasks.

Additional Authentication Featuresb Yes

a. For details, refer to JavaScript integration for VIP Access Push.

b. For details, refer to JavaScript integration for additional features.

Mobile application supportMobile application support lists the supported mobile applications for features on different mobile operating systems.

Table 3: Mobile application support

Mobile OS Feature Supported Mobile Applications

Security code Yes Yes Yes

VIP Access Pusha Yes Yes YesiOS

Additional Authentication Featuresb Yes No NoSecurity code Yes Yes YesVIP Access Pusha Yes Yes Yes

Android

Additional Authentication Featuresb No Yes NoSecurity code Yes Not applicable YesVIP Access Pusha Yes Not applicable No

Windows

Additional Authentication Featuresb Yes Not applicable No



7


FS)

Office 365 thick client supportSupport on thick clients for Office 365 lists the supported features on thick clients for Office 365.

Table 4: Support on thick clients for Office 365

Thick Client Feature Support

Security code YesVIP Access Pusha Yes

Outlook 2013

Additional Authentication Featuresb NoSecurity code YesVIP Access Pusha Yes

Skype for Business

Additional Authentication Featuresb No



8


FS)

Installing and configuring the VIP integration module for ADFS

Complete the following general steps to install and configure the VIP integration module for AD FS:

Table 5: VIP integration module for AD FS installation and configuration tasks

Step Task

1 Ensure that you meet the prerequisites, as applicable.See Prerequisites.

2 Install the VIP integration module for AD FS.See Installing the VIP integration module for AD FS.

3 Configure your VIP Authentication Service.See Configuring VIP Authentication Service.

4 Optionally, perform configuration changes to enable email as the claim rule.See (Optional) Additional configuration changes in AD FS if you select email as the VIP User ID attribute.

PrerequisitesEnsure that you meet the following prerequisites, as applicable:

• If you are running AD FS on Windows Server 2012 R2 (x64), ensure that you have Microsoft .NET version 4.6.2installed on your AD FS computer. Microsoft .NET version 4.6.2 is provided by default with AD FS on Windows Server2016 and Windows Server 2019.

• If you deploy AD FS as an AD FS farm or as an AD FS proxy, see the following topics before you begin yourinstallation:– AD FS farm deployment– AD FS proxy deployment

Installing the VIP integration module for AD FS1. Log into VIP Manager.

2. From the Accounts tab, download the VIP integration module for AD FS (Download Files >Third_Party_Integrations > Plugins > Active_Directory_Federation_Services.zip).

3. Navigate to the location where you downloaded Active_Directory_Federation_Services.zip and extract it.

4. Open the Active_Directory_Federation_Services folder, select setup.exe and run it as an administrator.

5. Follow the prompts to install the AD FS module.

6. After installing the VIP integration module for AD FS, click Finish. The VIP Integration Settings window is displayed(VIP Integration Settings window). You configure the VIP Authentication Service in this window.

See Configuring VIP Authentication Service.

9


FS)

Configuring the VIP Authentication Service1. To configure your VIP Authentication Service, edit the following fields from the VIP Integration Settings window (VIP

Integration Settings window):

Field Description

VIP Authentication Service SettingsAuthentication URL Enter the VIP Authentication Service URL that is used to authenticate the user name and

the security code. For example, https://userservices-auth.vip.symantec.com/vipuserservices/AuthenticationService_1_4

10

https://userservices-auth.vip.symantec.com/vipuserservices/AuthenticationService_1_4

https://userservices-auth.vip.symantec.com/vipuserservices/AuthenticationService_1_4


FS)

Field Description

VIP Certificate Specify the certificate file location currently on the local system. To search for a certificate file,click Browse.

Note: Download the VIP certificate in the .p12 format from VIP Manager and save it to thefolder where you installed the AD FS module (typically C:\Program Files\Symantec\ADFS\).

VIP Certificate Password Enter the password of the VIP certificate file that is specified in the VIP Certificate field.Proxy SettingsEnable Proxy Settings Enables the proxy configuration settings. The proxy settings that you define under Enable

Proxy Settings are used to communicate with the cloud services.Host IP IP address of the proxy server.Port Port number of the proxy server.User Name The optional user name for proxy basic authentication.Password The password for the user name that is specified in the Username field.Test Settings Click Test Settings to test client connectivity to VIP Services.Log File Path Path to the Logs directory. Note the following:

• On the AD FS host, the VIP integration module logs information both on Eventviewer and ina log file that is stored under the Logs directory.

• Two types of logs exist under the Logs directory. One log is for VIPAuthenticator(Log_VIPAuthProvider_<current_date>.txt) and the other log is for the vipssp webapplication (Log_VIPSSP_<current_date>.txt).

VIP User ID The attribute for the user that is registered in VIP Services as user name. Note the following:• This attribute is applicable only for the AD FS module that is installed on the primary AD FS

server.• You do not need to change the VIP User ID in the secondary AD FS server. The secondary

AD FS server uses the VIP User ID from the primary AD FS server.• By default, the module associates the Windows Account Name (SamAccountName) as the

VIP User ID.• Before changing the VIP User ID attribute, do the following:

– AD FS for Windows Server 2012: Clear the VIP Authentication Provider check box inthe Edit Global Authentication Policy setting of the AD FS console.

– AD FS for Windows Server 2016 and AD FS for Windows Server 2019: Clear the VIPAuthentication Provider check box in Service > Authentication Method > Multifactor Authentication Method > Edit.

Enable VIP JavaScript Integration Select this check box to enable JavaScript integration with VIP Services.Enable Automatic BusinessContinuity

Select this check box to enable automatic business continuity.

Note: If you want to enable Business Continuity manually to always skip second factorauthentication, set the registry [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ADFS3.0] "EnableManualBCMode" to 1.

For more information on installing and configuring Automatic Business Continuity, see Installingand Configuring the Automatic Business Continuity for VIP Integration Module

2. To test the authentication service configuration, follow these steps:

• Click Test Settings.• Enter a valid user name and security code. Ensure that the user name that you enter in Test Settings matches

exactly with the user name in VIP Cloud or VIP Manager.• Click OK.

11


FS)

The VIP Authentication Service is configured. If you use email as the VIP User ID attribute, you can configure additionalsettings.

See (Optional) Additional configuration changes in AD FS if you select email as the VIP User ID attribute.

Otherwise, continue with configuring your AD FS Service, based on your AD FS version:

• Overview of configuring AD FS for Windows Server 2012• Overview of configuring AD FS for Windows Server 2016 and AD FS for Windows Server 2019

(Optional) Additional configuration changes in AD FS if you selectemail as the VIP User ID attributeBy default, AD FS does not support email as the claim rule. If you use email as the VIP User ID attribute, perform the:

1. Go to Control Panel > System and Security > Administrative Tools.

2. Open the Open AD FS Management console

3. With AD FS for Windows Server 2012, select Trust Relationships > Claims Provider Trust.

4. From Claims Provider Trust, right-click Active Directory and then select Edit Claim Rules.

5. Click Add Rule.

6. In Choose Rule Type, select Send LDAP Attribute as Claims, click Next, and set the fields as shown in thefollowing figure:

• Enter the Claim rule name. For example Email.• In the Attribute store field, select Active Directory.• In the drop-down list for the LDAP Attribute field, select E-Mail-Addresses and for the Outgoing Claim Type

field, select E-Mail-Address.• Click Finish > Apply > OK.

12


FS)

13


FS)

Configuring AD FS

Refer to the appropriate procedures to configure your instance of Microsoft AD FS:

• Overview of configuring AD FS for Windows Server 2012• Overview of configuring AD FS for Windows Server 2016 and AD FS for Windows Server 2019

Overview of configuring AD FS for Windows Server 2012Complete the following general steps to configure AD FS for Windows Server 2012:

Table 6: AD FS for Windows Server 2012 configuration tasks

Step Task

1 Enable multi-factor authentication. See Enabling multi-factor authentication.2 Configure AD FS Relying Party Trust. See Configuring AD FS Relying Party Trust.3 Test multi-factor authentication. See Testing multi-factor authentication with VIP authentication provider.

Enabling multi-factor authenticationComplete the following steps to enable multi-factor authentication:

1. Go to Control Panel > System Security > Administrative Tools.

2. Open the AD FS Management console.

3. In the left navigation pane, click AD FS > Authentication Policies. The Authentication Policies Overview page isdisplayed.

4. In the Primary Authentication section, click Edit under Global Settings. The Edit Global Authentication Policypage is displayed.

5. In the primary authentication, select the authentication method your organization uses currently. For example, FormsAuthentication.

6. In the Multi-Factor Authentication section, click Edit under Global Setting. The Edit Global Authentication Policypage with the Multi-factor tab is displayed.

7. Select the VIP Authentication Provider check box from the Additional Authentication Methods section and clickOK.

Continue with protecting AD FS Relying Party trust.

See Configuring AD FS Relying Party Trust.

14


FS)

Configuring AD FS Relying Party TrustComplete the following steps to configure Relying Party Trust for any third-party web application:

1. In the left navigation pane, click AD FS > Authentication Policies. The Authentication Policies Overview page isdisplayed.

2. Click Per Relying Party Trust and select the relying party you have added (For example, Salesforce or Office 365).

3. Right-click on the relying party and select Edit Custom Primary Authentication.

4. In the Multi-factor tab, select Extranet and Intranet, and click Apply.

Continue to test multi-factor authentication.

See Testing multi-factor authentication with VIP authentication provider.

Overview of configuring AD FS for Windows Server 2016 and AD FSfor Windows Server 2019Complete the following general steps to configure AD FS for Windows Server 2016 and AD FS for Windows Server 2019:

Table 7: AD FS for Windows Server 2016 and 2019 configuration tasks

Step Task

1 Enable multi-factor authentication. See Enabling multi-factor authentication.2 Configure AD FS Relying Party Trust. See Protecting AD FS Relying Party Trust.3 Test multi-factor authentication. See Testing multi-factor authentication with VIP authentication provider.

Enabling multi-factor authenticationComplete the following steps to enable multi-factor authentication:



3. In the left navigation pane, click AD FS > Service > Authentication method. The Authentication Method Overviewpage is displayed.

4. In Primary Authentication, click Edit under Global Settings. The Edit Global Authentication Policy page isdisplayed.

5. Click Edit in Multi-factor Authentication Method.

6. In the Edit Authentication Methods window, select the VIP Authentication Provider check box as shown in thefollowing figure.

Continue with protecting AD FS Relying Party trust.

See Protecting AD FS Relying Party Trust.

15


FS)

Protecting AD FS Relying Party TrustComplete the following steps to protect Relying Party Trust for any third-party web application:

1. In the left navigation pane, click AD FS > Relying Party Trust.

2. Select the relying party you have added (For example, Salesforce or Office 365).

3. Right-click on the relying party and select Edit Access Control Policy.

4. Under the Access Control Policy tab, select Permit everyone and require MFA, or select Required MFA Policy.

5. Click Apply to save the changes.

Continue to test multi-factor authentication.

See Testing multi-factor authentication with VIP authentication provider.

Testing multi-factor authentication with VIP authentication providerPerform the following steps:

1. Access the IdP initiated single sign-on URL. For example, https://<adfs-server-name>/adfs/ls/IdpInitiatedSignOn.aspx.

2. Enter a valid user name and password.

3. Enter a valid security code. You are redirected to the protected application home page.

Types of AD FS deploymentsA variety of relying parties can be configured with AD FS for federated authentication. Symantec VIP can providesecond factor authentication if AD FS is configured to provide multi-factor authentication with the relying party. See theappropriate reference for samples of the following third-party configurations in AD FS.

Table 8: AD FS deployment resources

Third party application Reference

Microsoft Office 365 Overview of configuring Microsoft Office 365Microsoft Exchange Server 2013 and Microsoft Exchange Server2016

Overview of configuring Microsoft Exchange Server 2013 and2016

Microsoft SharePoint Portal Server 2013 web application Overview of configuring Microsoft SharePoint Server 2013 webapplication

For detailed configuration of a relying party or detailed use cases of AD FS configuration with Office 365, refer to therelying party documentation.

You can deploy AD FS as an AD FS farm, or as an AD FS proxy:

• AD FS farm deployment• AD FS proxy deployment

AD FS farm deploymentIf you have an AD FS farm deployment, make sure that your deployment is complete. Then install the VIP integrationmodule in all the AD FS servers in the farm. You must install the same version of the module on all AD FS servers in thefarm. Otherwise you may lose the ability to perform multi-factor authentication with VIP.

16


FS)

See Overview of installing and configuring the VIP integration module for AD FS.

You do not need to configure the VIP User ID attribute in the module that is installed on the secondary AD FS server.The secondary AD FS server inherits this setting from the primary AD FS server. Customize the other settings accordingto your requirement. The other settings include VIP Authentication Service Settings, Proxy Settings, Enable AutomaticBusiness Continuity, JS Integration, and Log file path.

If you install the Automatic Business Continuity Service in the primary AD FS server, you must also install it in all of theother AD FS servers on the AD FS farm.

See Installing and configuring the Automatic Business Continuity Service for the VIP integration module.

AD FS proxy deploymentIf you have the AD FS web application proxy (WAP), install the AD FS module on the AD FS Server rather than the WAPproxy.

See Overview of installing and configuring the VIP integration module for AD FS.

Upgrading the VIP integration moduleComplete the following general steps to upgrade to the latest version of the VIP integration module. Note the followingconsiderations:

• Your users do not have access to your AD FS services during this upgrade. To avoid this downtime, create atemporary AD FS server and route authentication traffic through that server during the upgrade. Once you haveupgraded the integration module, route your authentication traffic through the upgraded AD FS server and delete thetemporary AD FS server.

• If you have implemented the JavaScript integration, make a back-up of the <install_dir>\ JScripts\IAScript.jsfile before beginning the upgrade. Once the upgrade completes, replace the existing file in this location with your back-up file.

• When upgrading one AD FS server in a farm, make sure to upgrade all AD FS servers to the same version of theintegration module at the same time. Otherwise, you may lose the ability to perform multi-factor authentication with VIP.

Table 9: AD FS upgrade tasks

Step Task

1 Uninstall the existing VIP integration module. See the appropriate instructions:• Uninstalling multi-factor authentication for AD FS for Windows Server 2012• Uninstalling multi-factor authentication for AD FS for Windows Server 2016 and AD FS for Windows Server 2019

2 Install and configure the VIP integration module.Overview of installing and configuring the VIP integration module for ADFS

17


FS)

Configuring VIP JavaScript Integration for AD FS

Refer to the following to configure the VIP JavaScript Integration for Microsoft AD FS:

• Supported features• Prerequisites for JavaScript integration with Windows Server 2019• JavaScript integration for VIP Access Push• JavaScript integration for additional features

Supported featuresYou configure VIP to support push authentication using the VIP JavaScript integration.

See JavaScript integration for VIP Access Push.

You can also configure VIP to support the following additional features using the VIP JavaScript integration:

• SMS/Voice-based security code• Email-based security code• Device fingerprint• Registered computer (RC)• Intelligent Authentication (Risk-based)

See JavaScript integration for additional features.

Prerequisites for JavaScript integration with Windows Server 2019With Windows Server 2019, Microsoft introduces content security policies to prevent accidental execution of maliciouscontent. For the VIP JavaScript to integrate with AD FS on Windows Server 2019, you must modify the content securitypolicy header to allow the User Services URL (https://userservices.vip.symantec.com). Run the following command onyour AD FS server:

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy"

-SetHeaderValue "default-src 'self' https://userservices.vip.symantec.com

<trusted_service_access_host> https://ssp.vip.symantec.com 'unsafe-inline'

'unsafe-eval' script-src; img-src 'self' data:;"

Where <trusted_service_access_host> is the fully-qualified domain name (FQDN) for your Self Service Portal IdP. Usethe format, https://<SSP_IdP_FQDN>:8233.

JavaScript integration for VIP Access PushComplete the following general steps to integrate VIP JavaScript to enable only VIP Access Push (VIP Access Pushnotifications with custom URL and text.).

18

https://userservices.vip.symantec.com


FS)

Table 10: JavaScript integration for VIP Access Push configuration tasks

Step Task

1 Configure the JavaScript integration with VIP Manager. For details, see Symantec VIP Intelligent AuthenticationEnterprise Integration Guide, which you can download from the Intelligent_Authentication folder in VIP ManagerDownload Files page.

2 Generate the VIP Integration JavaScript code for AD FS.See Generating JavaScript integration code from VIP Manager.

3 Configure the VIP integration settings for JavaScript integration.See Configuring the VIP integration settings for JavaScript integration.

4 Test the JavaScript integration.See Testing JavaScript integration for VIP Access Push .

Generating JavaScript integration code from VIP ManagerComplete the following steps to generate the VIP Integration JavaScript code for AD FS:

1. Log into VIP Manager.

2. Click the Policies tab. The VIP Policy Configuration page is displayed.

3. Under the Account tab, click the VIP Integration Code for JavaScript link. A new window is displayed.

4. In the Method field, select Manual.

5. Select User Name + Security Code as the authentication mode. Enter the following values that are case-sensitive togenerate the VIP integration code.

• User Name Field Name: username• Password Field Name: vippassword• Security Code Field Name: security_code• Form Name: loginForm• SSP IDP Proxy URL: You do not need to enter SSP IdP Proxy URL when integrating JavaScript only for Push.

6. Save the generated JavaScript code.

7. On the AD FS computer, access the folder where the VIP AD FS integration module is installed (typically C:\ProgramFiles\Symantec\ADFS\).

8. Using a standard text editor, open the file ..\JScripts\IAScript.js, and paste the generated JavaScript code.

9. Paste the following lines after the function vipAuth (), immediately before the </script> tag:window.onload = function() {

document.getElementById("continueButton").click();

}

10. By default, the AD FS service URL is displayed in the VIP Access Push notification sent to your users. You canreplace this URL with a custom URL, referrer URL, or custom text in the VIP Access Push notification (VIP AccessPush notifications with custom URL and text.). Set the custom URL or string by adding the following line between the<script> and </script> tags:var rpURLOverride = "<url>"

Where <custom string> is the custom text or URL (including http or https).

11. Save the file.

For a sample of VIP integration code, see Sample VIP integration code.

19

FS)

Sample VIP integration codeThe following code is a sample of the VIP integration code with a custom URL:



20

FS)

<script type="text/javascript" src="https://userservices.

vip.symantec.com/vipuserservices/resources/js/v_1_0/

vip?appId=8802758888&idpURL=

https://vipsspidp.com:8233/vipssp/

trustedserviceaccess&autoIntegration=manual"></script>

<script type="text/javascript">

var rpURLOverride = "https://custom_display_url"

function vipAuth() {

vipIaIntegrationProperties.setAuthenticationMode('uo');

vipIaIntegrationProperties.setUsernameFieldName('username');

vipIaIntegrationProperties.setPasswordFieldName('vippassword');

vipIaIntegrationProperties.setSecurityCodeFieldName('security_code');

vipIaIntegrationProperties.setFormName('loginform');

}

window.onload = function() {


}

</script>



21


FS)

Configuring the VIP integration settings for JavaScript integrationComplete the following steps to configure the VIP integration settings for JavaScript integration:

1. Open the VIP Integration settings configuration tool, select the Enable VIP JS Integration check box, and click OK tosave the settings.

2. Restart the AD FS server.

Testing JavaScript integration for VIP Access PushComplete the following steps to test the JavaScript integration using a VIP Access Push:

1. Access a protected resource by accessing IdP initiated single sign-on URL. For example, https://<adfs-server-name>/adfs/ls/IdpInitiatedSignOn.aspx.

2. Enter a valid user name and password. The VIP Service sends a VIP Access Push notification to the mobile devicethat is registered to this user.

22


FS)

3. Approve the notification on the mobile device.

4. You are prompted to remember the device.

• If you choose not to remember this mobile device, tap Skip.• If you choose to remember the device, tap Remember. You are prompted to enter a unique name for the mobile

device and tap Continue.

23


FS)

5. You are allowed access to the protected resource. The VIP integration is successful.

If you chose to remember this mobile device, you are not prompted to authenticate using a VIP Access Push the nexttime that you sign in.

A user can always choose to use a security code to sign in rather than approve the push notification on the mobile device.

See Testing the JavaScript integration for VIP Access Push using a security code.

Testing the JavaScript integration using a security codeTo test the JavaScript integration, follow these steps:

1. Access a protected resource by accessing IdP initiated single sign-on URL. For example, https://<adfs-server-name>/adfs/ls/IdpInitiatedSignOn.aspx.

2. Enter a valid user name and password.

3. Click Continue. The Confirm Your Identity window is displayed.

24


FS)

4. Enter a valid security code.

5. Select the Remember this private device check box, and click Continue.

6. You can access the protected resource after successful authentication. In the next logon, you are not prompted for thesecurity code, as the device is remembered.

JavaScript integration for additional featuresThe Self Service Portal (SSP) is a cloud-based web application where your users manage their VIP credentials. On thisportal, users can register, test, reset, or remove credentials from their account. You can configure the VIP integration withAD FS to use JavaScript to enable the following features. For more information on VIP SSP IdP, refer to VIP EnterpriseGateway Installation and Configuration Guide.

• Intelligent Authentication• Registered Computer• Device Fingerprint• Out-of-band credentials (SMS and Voice)

Complete the following general steps to configure the SSP for AD FS to enable these additional features:

25


FS)

Table 11: JavaScript integration tasks

Step Task

1 Configure VIP SSP IdP for AD FS. See Configuring VIP SSP IdP for AD FS.2 Configure the JavaScript integration with the VIP components. See Configuring the JavaScript integration with the VIP

components.3 Test the JavaScript integration. See Testing the JavaScript integration using a security code.

Configuring VIP SSP IdP for AD FSPerform the following steps to configure VIP SSP IdP for AD FS:

1. Log into VIP Enterprise Gateway.

2. Select the User Store tab.

3. Click Edit on user store and go to the Search criteria.

4. Click Edit and enter VIP User name Attribute. This attribute must be same as VIP User ID configured in ConfiguringVIP Authentication Service.

5. Add the same attribute in user filter if it does not exist.

6. Save the changes.

7. Click the Identity Providers tab and do the following:

• (If you configure SSP IdP for the first time) Configure SSP IdP and then set the Service Status to ON.• (If you have already configured SSP IdP) Click Edit.

8. Click the Trusted Service Access Settings tab.

9. Copy the VIP certificate that was used in the VIP integration module for AD FS and move it to the VIP EnterpriseGateway server.

See Configuring VIP Authentication Service.

10. Click Browse to select the file name of the VIP Certificate.

11. In the Password field, enter the password for the certificate.

12. In the Alias field, enter the alias name for the certificate.

13. Click Add VIP Certificate.

14. After completing the previous steps, ensure that the AD FS server time and the VIP Enterprise Gateway server timeare in sync. Note that a time difference of more than a minute may cause authentication failure.

15. After you complete this configuration, the service is running at the following URL: https://<VIPSSPIDP_FQDN>:<8233>/vipssp/trustedserviceaccess. You must use this URL as part of the JavaScriptintegration.

16. To allow users on any device to access this URL from outside the corporate network, publish this URL with WAP (WebApplication Proxy) in passthrough mode. For details on WAP publishing, refer to Appendix F, “Publishing VIP SSPIdP Proxy URL with WAP".

Configuring the JavaScript integration with the VIP componentsComplete the following general steps to configure the JavaScript integration with the VIP components:

26

FS)

Table 12: JavaScript integration with the VIP components configuration tasks

Step Task

1 Generate the VIP Integration JavaScript code for AD FS. See Generating JavaScript integration code from VIP Manager.2 Configure the VIP integration settings for JavaScript integration. See Configuring the VIP integration settings for

JavaScript integration.

You must also configure the JavaScript integration with VIP Manager. For details, see Symantec VIP IntelligentAuthentication Enterprise Integration Guide, which you can download from the Intelligent_Authentication folder in VIPManager’s Download Files page.

Generating JavaScript integration code from VIP ManagerComplete the following steps to generate the VIP Integration JavaScript code for AD FS:

1. Log into VIP Manager.

2. Click the Policies tab. The VIP Policy Configuration page is displayed.

3. Under the Account tab, click the VIP Integration Code for JavaScript link. A new window is displayed.

4. In the Method field, select Manual.

5. Select User Name + Security Code as the authentication mode. Enter the following values that are case-sensitive togenerate the VIP integration code.

• User Name Field Name: username• Password Field Name: vippassword• Security Code Field Name: security_code• Form Name: loginForm• SSP IdP Proxy URL: https:// <VIPSSPIDP_FQDN >:8233/vipssp/trustedserviceaccess

NOTE

If the SSP IdP Proxy URL is published with WAP, enter the external URL of the published application. Forexample: https:// <externalurl>/vipssp/trustedserviceaccess.

• Save the generated JavaScript code.• On the AD FS computer, access the folder where the VIP AD FS integration module is installed (typically C:

\Program Files\Symantec\ADFS\).• Using a standard text editor, open the file ..\JScripts\IAScript.js, and paste the generated JavaScript code.• Paste the following lines after the function vipAuth (), immediately before the </script> tag:



}

• For a sample of VIP integration code, see the Sample VIP integration code.• Save the file.

Sample VIP integration code

The following code is a sample of the VIP integration code with a custom URL:



<script type="text/javascript" src="https://userservices.

vip.symantec.com/vipuserservices/resources/js/v_1_0/

vip?appId=8802758888&idpURL=

27

FS)

https://vipsspidp.com:8233/vipssp/

trustedserviceaccess&autoIntegration=manual"></script>

<script type="text/javascript">

var rpURLOverride = "https://custom_display_url"

function vipAuth() {

vipIaIntegrationProperties.setAuthenticationMode('uo');

vipIaIntegrationProperties.setUsernameFieldName('username');

vipIaIntegrationProperties.setPasswordFieldName('vippassword');

vipIaIntegrationProperties.setSecurityCodeFieldName('security_code');

vipIaIntegrationProperties.setFormName('loginform');

}



}

</script>



Configuring the VIP integration settings for JavaScript integration1. Open the VIP Integration settings configuration tool, select the Enable VIP JS Integration check box, and click OK to

save the settings.

2. Restart the AD FS server.

28


FS)

Installing and configuring the Automatic Business ContinuityService for the VIP integration module

Complete the following steps to install and configure the Automatic Business Continuity Service (the Health CheckService) for the VIP integration module:

1. Install the Health Check Service:

• Navigate to the Active_Directory_Federation_Services.zip file that you downloaded from VIP Manager when youinstalled the VIP integration module. Extract it.See Installing the VIP integration module for AD FS.

• Select setup.exe, and run it as administrator. You are prompted to install the Health Check Service.

2. Enter Yes and the Welcome page of the Installation Wizard is displayed. Click Next.

3. Accept the license agreement and click Next.

4. Select the VIP certificate, enter the password, and click Next.

5. Configure the Health Check Service settings and enter values for the following fields:

Field Description

Health Check Service Port Enter the port number. The default port number is 8443.Location of the VIP certificate Select the VIP certificate.Password Enter a password for the certificate.Number of retries Select the number of retires.Poll Interval in seconds Enter the poll interval in seconds.Logging level Specify the preferred logging level for your synchronization service. Select the appropriate

level from the drop-down list:Number of log files to keep Select the number of log files to keep.Log Rotation Interval Select how frequently you want to create a new log file.Email SettingsEnable Email Select this check box to configure email notifications.SMTP Host Enter the user name to log on to the SMTP server.SMTP Port Enter the password to log on to the SMTP server.Authentication Required Select this check box to enable authentication.Username Enter the administrator user name.Password Enter the administrator password.Server supports SSL Select this check box if you want to use SSL to secure connection.Select Trusted Certificate Select the trusted certificate.Sender's Email Address Enter the email address of the person or group that sends the email notification.Recipient's Email Address Enter the email address of the person or group that is intended to receive the email

notification.Connectivity Lost Subject The default subject line for the connectivity lost email notification. Edit this value as required.Connectivity Lost Message The default text for the connectivity lost email notification. Edit this value as required.

29


FS)

Field Description

Connectivity Restored Subject The default subject line for the connectivity restored email notification. Edit this value asrequired.

Connectivity Restored Message The default text for the connectivity restored email notification. Edit this value as required.Http Proxy SettingsEnable Proxy Select the check box to enable proxy settings.Proxy Hostname Enter the name of the proxy host name.Proxy Port Enter the port number that the proxy server uses.Authentication Required Select the check box to enable authentication.Username Enter the administrator user name for the proxy.Password Enter the administrator password for the proxy.

6. Select the destination directory where you want to install the Health Check service and click Next.

7. A confirmation wizard with the location is displayed. Click Next to complete the installation.

30


FS)

Configuring Microsoft Office 365

Complete the following general steps to configure Microsoft Office 365 to integrate with AD FS for single sign-on:

Table 13: Microsoft Office 365 configuration tasks

Step Task

1 Complete the prerequisites. See Prerequisites.2 Add a domain to Microsoft Office 365. See Adding a domain to Microsoft Office 365.3 Convert an Office 365 domain to a federated domain. See Converting an Office 365 domain to a federated domain.4 Configure your Microsoft Office 2013 clients with AD FS for Windows Server 2012. See Configuring Microsoft Office

2013 clients with AD FS for Windows Server 2012.5 Test the configuration. See Testing the configuration.6 Optionally, configure Yammer services. To configure Yammer services with Office 365 and AD FS for Windows Server

2012, follow the instructions available at the Microsoft Support site.

PrerequisitesEnsure that the following conditions are fulfilled before you configure Microsoft Office 365 to integrate with AD FS forsingle sign-on:

• AD FS for Windows Server 2012 must be installed and configured on a Windows Server 2012 R2 server. Verifyif the AD FS services work by accessing the AD FS sign-in page (https://<ADFS Compute FQDN>/adfs/ls/idpinitiatedsignon.htm).

• Create an Office 365 account and add your domain name to Office 365.See Adding a domain to Microsoft Office 365.

• Download and install the following on the AD FS computer or the Domain joined computer:– Microsoft Online Services Sign-In Assistant for IT Professionals BETA– Azure Active Directory Module for Windows PowerShell (64-bit version)

Adding a domain to Microsoft Office 365Complete the following steps:

1. From the Office 365 welcome page, navigate to home.

2. Click on Domains > Add Domain.

3. In the Add a new domain in Office 365 page, click Let's get started.

4. Enter the Domain Name and click Next.

5. Follow the on-screen instructions to ADD TXT record to verify your domain.

6. After the domain is verified, click FINISH.

For more information on adding a domain to Office 365, refer to the Microsoft Support site.

31


FS)

Converting an Office 365 domain to a federated domainComplete the following steps:

1. Launch Windows Azure Active Directory Module for Windows PowerShell.

2. Run Connect-MsolService and provide a set of Office 365 global admin credentials. For example,[email protected] credentials.

3. To enable Remote PowerShell, run Enable-PSRemoting and select the [A] Yes To All option.

4. Connect to AD FS service by executing Set-MsolADFSContext -Computer <ADFS computer FQDN>.

5. To convert the Office 365 domain to a federated domain, run Convert-MsolDomainToFederated - DomainName<Office365_Domain_Name>.

6. After conversion, check to see if the change applied by executing the Get-MsolDomain cmdlet shows the Office 365domains.

7. After the domain is successfully converted, you can see Relying Party Trusts created for Office 365 in the AD FSconsole.

Configuring Microsoft Office 2013 clients with AD FS for WindowsServer 2012Office 365 ProPlus is a productivity software that includes single sign-on (SSO) based logon to Office 2013 Windowsclients. You can install Office 365 ProPlus on your desktop computer or laptop computer.

Complete the following general steps to configure Microsoft Office 2013 clients with AD FS for Windows Server 2012:

Table 14: Overview of configuring Microsoft Office 365

Step Task

1 Integrate Office 2013 clients with AD FS for Windows Server 2012. See Integrating Office 2013 clients with AD FS forWindows Server 2012.

2 Enable modern authentication for Office 365 clients. See Enabling and disabling modern authentication for clients.

Integrating Office 2013 clients with AD FS for Windows Server 2012Perform the following steps to integrate Office 2013 clients with AD FS for Windows Server 2012:

1. Create an Office 365 ProPlus account, or add Office365 ProPlus licenses to an existing account.

2. Your Office 365 ProPlus account must join the public preview program of Microsoft Office 365, which enables modernauthentication.

To join the public preview program, perform the following steps:

• Sign up for public preview on Microsoft Connect. (On this website, you must first sign in using your Microsoftaccount. Create a Microsoft account if you do not have one.)

• Ensure that your Office 365 domain is federated.If your domain is currently not federated, see Converting an Office 365 domain to a federated domain to convertyour domain into a federated domain.

NOTE

Only Office 365 ProPlus account supports the modern authentication feature which provides single sign-on(SSO) based logon with AD FS for Windows Server 2012.

32


FS)

Enabling and disabling modern authentication for clientsYou must first install Office 365 clients from your Office 365 ProPlus account. To enable modern authentication for clients,set the registry keys as listed in the following table for each device that you want to enable for modern authentication.

Table 15: Registry key settings to enable modern authentication for clients

Registry Key Type Value

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

Disabling modern authentication for clients

To disable modern authentication for Office 365 clients, set the registry key as listed in the following table.

Table 16: Registry key setting to disable modern authentication for clients

Registry Key Type Value

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 0

Testing the configurationYou can test the configuration of Microsoft Office 2013 clients with AD FS for Windows Server 2012 in the following ways:

• Signing into Outlook 2013• Signing in to Skype for Business 2013

33


FS)

Signing into Outlook 2013Perform the following steps in Outlook 2013 to test the configuration of Microsoft Office 2013 clients with AD FS forWindows Server 2012:

1. From the Start menu, launch Outlook 2013.

2. From the FILE tab, click Office Account. The Account dialog box is displayed.

3. Click Sign In. The Sign In dialog box is displayed.

4. Enter the email address of the account you want to use with Outlook, and then click Next. You are automaticallyredirected to the AD FS for Windows Server 2012 logon page.

5. Enter your organization's account and password, and click Sign In.

6. If you have correctly configured the Microsoft Office 2013 client with AD FS for Windows Server 2012, the logon issuccessful.

Signing in to Skype for Business 2013Perform the following steps in Skype for Business 2013 to test the configuration of Microsoft Office 2013 clients with ADFS for Windows Server 2012:

1. From the Start menu, launch Skype for Business.

2. Enter the sign-in email address of your organization – not a Skype user name or Microsoft account. You areautomatically redirected to the AD FS for Windows Server 2012 logon page.

3. Enter your organization's account and password, and click Sign In.

If you have correctly configured the Microsoft Office 2013 client with AD FS for Windows Server 2012, the logon issuccessful.

34


FS)

Configuring Microsoft Exchange Server 2013 and 2016

Complete the following general steps to configure Microsoft Exchange Server 2013 and 2016 to integrate with AD FS forsingle sign-on:

Table 17: Microsoft Exchange Server 2013 and 2016 configuration tasks

Step Task

1 Complete the prerequisites. See Prerequisites.2 Create a relying part trust for Outlook Web App and Exchange Admin Center (EAC). See Creating a Relying Party Trust

for Outlook Web App and EAC.3 Configure the claim rules in AD FS. See Configuring claim rules in AD FS.4 Configure Exchange 2013 or Exchange 2016 for AD FS authentication. See Configuring Exchange 2013 or 2016 for AD

FS authentication.5 Enable AD FS authentication on the OWA and ECP virtual directories. See Enabling AD FS authentication on the OWA

and ECP virtual directories.6 Test the configuration. See Testing the configuration.

PrerequisitesComplete the following conditions before configuring Microsoft Exchange Server 2013 or Exchange Server 2016 tointegrate with AD FS:

• Install and configure AD FS for Windows Server 2012 on a Windows Server 2012 R2 server. Verify that the AD FSservices work by accessing the AD FS sign-in page (https://<ADFS Compute FQDN>/adfs/ls/ idpinitiatedsignon.htm).

• Ensure that your on-premises Exchange Server is an Exchange Server 2013 Service Pack 1 (SP1) or ExchangeServer 2016 deployment.

• Import the AD FS, SSL, and token signing certificates into your Exchange Server computer store with the CertificatesMMC snap-in.

• Import the Exchange Server SSL certificates into the AD FS computer store with the Certificates MMC snap-in.

NOTE

You cannot integrate AD FS and claims-based authentication if your Exchange Server deployment includesExchange 2007, Exchange 2010, or Exchange 2013 RTM servers.

Claims-based authentication replaces traditional authentication methods, including: Windows, Forms, Digest,Basic, and Active Directory client certificate authentication.

35


FS)

Creating a Relying Party Trust for Outlook Web App and EACComplete the following steps to create a relying part trust for Outlook Web App and Exchange Admin Center (EAC):

1. In Server Manager, click Tools, and then select AD FS Management.

2. In the AD FS snap-in, under AD FS\Trust Relationships, right-click Relying Party Trusts, and then click AddRelying Party Trust. The Add Relying Party Trust wizard is displayed.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.

5. On the Specify Display Name page, in the Display Name field, enter a display name. For example, OWA-13.

6. On the Choose Profile page, click AD FS profile, and then click Next.

7. On the Configure Certificate page, click Next.

8. On the Configure URL page, select the Enable support for the WS-Federation Passive protocol check box, in theRelying party WS-Federation Passive protocol URL field, enter https://<Exchange SERVER HOSTNAME>/owa, and then click Next.

9. On the Configure Identifiers page, click Next.

10. On the Configure Multi-factor Authentication page, verify that the option I do not want to configure multi-factorauthentication settings for this relying party trust at this time is selected. Then, click Next.

11. On the Choose Issuance Authorization Rules page, select permit all users to access this relying party, and clickNext.

12. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

13. On the Finish page, verify that the option Open the Edit Claim Rules dialog for this relying party trust when thewizard closes is selected. Then, click Close.

Configuring claim rules in AD FSComplete the following steps to configure the claim rules in AD FS:

1. In the Issuance Transform Rules tab, click Add Rule.

2. In Choose Rule Type, select Send LDAP Attribute as Claims and click Next. The Add Transform Claim Rule Wizardis displayed.

3. Edit the following fields:

• Enter an appropriate value in Claim rule name. For example, UPN-Name ID.• In the Attribute store drop-down list, select Active Directory.• Select or enter values in the LDAP Attribute and Outgoing Claim Type columns.

NOTE

To create a relying party trust for EAC, complete the steps in Creating a Relying Party Trust for OutlookWeb App and EAC again and create a second relying party trust. However, the following two field valuesmust be different:

In the Display Name field, enter EAC.

In the Relying party WS-Federation Passive protocol URL field, enter https://<Exchange ServerHOSTNAME>/ecp.

36


FS)

Configuring Exchange 2013 or 2016 for AD FS authenticationComplete the following steps to configure Exchange 2013 or Exchange 2016 for AD FS authentication:

1. On the AD FS server, use Windows PowerShell to find the AD FS token signing certificate thumb-print. Enter Get-ADFSCertificate -CertificateType "Token-signing" and then assign the token-signing certificate thumb-printthat you find.

2. Using the Exchange Management Shell, enter the following code.

• $uris = @ (" https://<Exchange server hostname>/owa",

"https://<Exchange server hostname>/ecp")

• Set-OrganizationConfig -AdfsIssuer "https://<ADFS HOSTNAME>/

adfs/ls/" -AdfsAudienceUris $uris -AdfsSignCertificateThumbprints"

ADFS Certificate Thumb

Print"

Enabling AD FS authentication on the OWA and ECP virtual directoriesFor the OWA and Exchange Control Panel (ECP) virtual directories, enable AD FS authentication as the onlyauthentication method. Disable all other types of authentication.

NOTE

You must first configure the ECP virtual directory and then configure the OWA virtual directory.

Testing the configurationComplete the following steps to test the integration:

1. Access the URL https://<exchange server hostname>/owa.

2. On the AD FS logon page, do the following:

• Enter your user name or logon name.• Enter your password.

When you successfully authenticate and authorize, you can access the mailbox.

37


FS)

Configuring Microsoft SharePoint Server 2013 web application

Complete the following general steps to configure Microsoft SharePoint Server 2013 web application to integrate with ADFS for single sign-on:

Table 18: Microsoft SharePoint Server 2013 web application configuration tasks

Step Task

1 Complete the prerequisites. See Prerequisites.2 Create a relying part trust for the SharePoint Server 2013 web application. See Creating a Relying Party Trust for the

SharePoint Server 2013 web application.3 Configure the claim rules in AD FS. See Configuring claim rules in AD FS.4 Configure SharePoint 2013 for AD FS authentication. See Configuring SharePoint 2013 for AD FS authentication.5 Associate an existing web application with AD FS authentication. See Associating an existing web application with AD

FS authentication.6 Configure permissions to access the web application. See Configuring permissions to access the web application.7 Test the configuration. See Testing the configuration.

PrerequisitesEnsure that you fulfill the following conditions before configuring Microsoft SharePoint Server 2013 web application tointegrate with AD FS:

• Install and configure AD FS for Windows Server 2012 on a Windows Server 2012 R2 server. Verify that the AD FSservices work by accessing the AD FS sign-in page (https://<ADFS Compute FQDN>/adfs/ls/ idpinitiatedsignon.htm}.

• Import the AD FS, SSL, and token signing certificates into your SharePoint server computer store with the CertificatesMMC snap-in.

• Import the SharePoint Server SSL certificates into the AD FS computer store with the Certificates MMC snap-in.

38


FS)

Creating a Relying Party Trust for the SharePoint Server 2013 webapplicationComplete the following steps to create a relying part trust for the SharePoint Server 2013 web application:


2. In AD FS snap-in, under AD FS\Trust Relationships, right-click Relying Party Trusts, and then click Add RelyingParty Trust. The Add Relying Party Trust wizard is displayed.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.

5. On the Specify Display Name page, in the Display Name field, enter a display name. For example, OWA-13.

6. On the Choose Profile page, click AD FS profile, and then click Next.

7. On the Configure Certificate page, click Next.

8. On the Configure URL page, select the Enable support for the WS-Federation Passive protocol check box, andthen in the Relying party WS-Federation Passive protocol URL field, enter https://<your sharepointwebapp hostname>/_trust/.

NOTE

When entering the URL, ensure that you include the trailing forward slash (/).

9. On the Configure Identifiers page, enter the name of the relying party trust identifier (for example,urn:sharepoint:contoso), click Add, and then click Next.

NOTE

The relying party trust identifier URL is the realm value when you configure a newSPTrustedIdentityTokenIssuer in Configuring SharePoint 2013 for AD FS authentication.

39


FS)

10. On the Choose Issuance Authorization Rules page, select permit all users to access this relying party, and clickNext.

11. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

12. On the Finish page, verify that Open the Edit Claim Rules dialog for this relying party trust when the wizardcloses is selected, and click Close.

Configuring claim rules in AD FSComplete the following steps to configure the claim rules in AD FS:

1. On the Issuance Transform Rules tab, click Add Rule.

2. On the Select Rule Template page, select Send LDAP Attributes as Claims and click Next. The Add TransformClaim Rule Wizard is displayed.

3. Edit the following fields:

• On the Configure Rule page, in the Claim rule name field, enter the name of the claim rule.• In the Attribute Store drop-down list, select Active Directory.• In the Mapping of LDAP attributes to outgoing claim types section, do the following:

– In the LDAP Attribute column, select E-Mail-Addresses in the drop-down list and in the following row, selectUser-Principal-Name.

– In the Outgoing Claim Type column, select E-Mail Address in the drop-down list and in the following row,select UPN.

4. Click Finish, and then click OK.

Configuring SharePoint 2013 for AD FS authenticationComplete the following steps to configure SharePoint 2013 for AD FS authentication:

NOTE

Execute all the commands that are listed in this section on a single instance of SharePoint 2013 ManagementShell.

1. Enter the following code to import the AD FS Token Signing Certificate using SharePoint 2013 Management Shell:

• $cert = New-Object

System.Security.Cryptography.X509Certificates.X509Certificate2

("<PathToSigningCert>")

• New-SPTrustedRootAuthority -Name "Token Signing Cert"

-Certificate $cert

40


FS)

2. To define the unique identifier for mapping claims using SharePoint 2013 Management Shell, enter the following codeto set UPN as the claim type:$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

-IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

NOTE

You can set different incoming claim types for SharePoint. Refer to the Microsoft documentation foradditional information.

3. To create a new authentication provider in your SharePoint farm to communicate with AD FS using SharePoint 2013management console, enter the following code:

• $realm = " urn:sharepoint:contoso"

• $signInURL = https://<YourADFSServerName>/adfs/ls

• $ap = New-SPTrustedIdentityTokenIssuer -Name <ProviderName>

-Description<ProviderDescription> - realm $realm

-ImportTrustCertificate $cert -ClaimsMappings $upnClaimMap

-SignInURL $signInURL -IdentifierClaim

$upnClaimMap.InputClaimType

41


FS)

NOTE

Some of the parameters appearing in the earlier code have the following significance:

The Name value appears in your SharePoint web application as the Trusted Identity Token Issuer.

The realm parameter is the relying party trust identifier that you use with this particular provider. Each webapplication or host-named site collection that you create has its own realm.

The ImportTrustCertificate parameter is the token signing certificate that you copy from the AD FS serverand pass to the application.

The IdentifierClaim parameter informs SharePoint as to which claim submitted by the user is used foridentification of users.

4. In the command that are listed in Step 2 and Step 3 of these procedures, UPN is used as a claim attribute. Similarly,there are other claim attribute types that you can set for SharePoint. Refer to the Microsoft documentation foradditional information.

5. Enter the command Get-SPTrustedIdentityTokenIssuer to check the updated details.

Associating an existing web application with AD FS authenticationComplete the following steps to associate an existing web application with AD FS authentication:

1. On the SharePoint Central Administration home page, click Application Management.

2. On the Application Management page, in the Web Applications section, click Manage web applications.

3. Click the appropriate web application.

4. From the Web Applications menu, click Authentication Providers.

5. Under Zone, click the name of the zone. For example, Default.

6. In the Claims Authentication Types section of the Edit Authentication page, select Trusted Identity provider. Clickthe name of your SAML provider (<ProviderName> from the New-SPTrustedIdentityTokenIssuer command), andthen click OK.

7. To enable SSL for this web application, do the following:

• Add an alternate access mapping from Application Management for the "https://" version of the web application'sURL.

• Configure the website in the Internet Information Services (IIS) Manager console for an https binding.

Configuring permissions to access the web applicationTo allow users to authenticate using a UPN address as their SAML-based identity, add their email addresseswith appropriate permissions to the web application. The SAML-based identity is as specified in the New-SPTrustedIdentityTokenIssuer command with the -IdentifierClaim $upnClaimMap.InputClaimType parameter.

42


FS)

Complete the following steps to configure a web application for permissions based on UPN:

1. On the Central Administration home page, click Application Management.

2. On the Application Management page, in the Web Applications section, click Manage web applications.

3. Click the appropriate web application, and then click User Policy.

4. In Policy for Web Application, click Add Users.

5. In the Add Users dialog box, click the appropriate zone in Zones, and then click Next.

6. In the Add Users dialog box, click the Browse icon in the lower, right-hand side of the Users box.

7. In the Select People and Groups dialog box, type the UPN of a user account in Find, and then click the Search icon.

8. In the search results, click UPN. Under the name of your AD FS identity provider, click the UPN of the user underDisplay Name. Click Add, and then click OK.

9. In Permissions, click the appropriate level of permissions.

10. Repeat Step 6 through Step 9 for additional UPN of users with the same level of permissions.

11. Click Finish, and then click OK.

Testing the configurationComplete the following steps to test the integration:

1. Access your SharePoint web application URL (https://<hostname>/<sitename>).

2. In the sign-in page, select your provider name. For example, SAML Provider for SharePoint.

3. On the AD FS logon page, do the following:

• Enter your user name or logon name.• Enter your password.

When you successfully authenticate and authorize, you can access the web application.

43


FS)

Publishing a Remote Desktop Gateway through WebApplication Proxy

The following table lists the RD Gateway configuration tasks and the relevant server that you must configure.

Table 19: RD Gateway configuration tasks

Task Server

1 Complete the prerequisites. See Prerequisites.2 Create a relying party trust for RD Gateway. See Creating a Relying Party Trust in AD FS. AD FS server3 Publish the RD Gateway behind the Web Application Proxy. See Publishing the RD Gateway

behind the Web Application Proxy.Web Application Proxyserver

4 Modify your Remote Desktop Service (RDS) collections. See Modifying the Remote DesktopService collections.

RD Web Access server

5 Set group policies on the Active Directory Domain Services computer. See Setting grouppolicies on Active Directory Domain Services.

Active Directory DomainController

6 Test the configuration. See Testing the configuration.

PrerequisitesEnsure that you fulfill the following conditions before configuring RD Gateway through Web Application Proxy:

• Install and configure AD FS for Windows Server 2012 on a Windows Server 2012 R2 server. Verify that the AD FSservices work by accessing the AD FS sign-in page (https://<ADFS Compute FQDN>/adfs/ls/ idpinitiatedsignon.htm).

• Install and configure the Web Application Proxy on a Windows Server 2012 R2 server which has the same domain asthe AD FS server.

• Make sure that you install the remote desktop services and perform all the steps for seamless logon with RD Gateway.For more details, refer to the Microsoft documentation.

Creating a Relying Party Trust in AD FSComplete the following steps to create a relying party trust for RD Gateway:


2. In AD FS snap-in, under AD FS\Trust Relationships, right-click Relying Party Trusts, and then click Add RelyingParty Trust. The Add Relying Party Trust wizard is displayed.

3. In the wizard, edit the following fields:

• On the Welcome page, click Start.• On the Select Data Source page, click Enter data about the relying party manually, and then click Next.• On the Specify Display Name page, in the Display Name field, enter a display name. For example, RDG.• On the Choose Profile page, click AD FS profile, and then click Next.• On the Configure Certificate page, click Next.• On the Configure URL page, click Next.• For the Relying Party Trust identifier on the Configure Identifiers page, enter the external, fully qualified domain

name (FQDN) that you use for RDG access. For example, enter https://rdg.contoso.com/.

44


FS)

You use this relying party trust when you publish the app in the Web Application Proxy.• On the Configure Multi-factor Authentication page, verify that the option I do not want to configure multi-factor

authentication settings for this relying party trust at this time is selected. Then, click Next.• On the Choose Issuance Authorization Rules page, select permit all users to access this relying party, and click

Next.• On the Ready to Add Trust page, review the settings, and click Next to save your relying party trust information.• On the Finish page, verify that the option Open the Edit Claim Rules dialog for this relying party trust when

the wizard closes is not selected. Then click Close.

Publishing the RD Gateway behind the Web Application ProxyComplete the following steps to publish the RD Gateway behind the Web Application Proxy:

1. Install the hot fix for Web Application Proxy from the following location: https://support.microsoft.com/en-gb/kb/3000850.

2. Connect to your WAP server and switch to the Remote Access Management console.

3. In the left pane, make sure that Web Application Proxy is selected, and then in the right pane, click Publish. ThePublish New Application wizard is displayed.

4. In the wizard, edit the following fields:

• Click Next.• For the pre-authentication, select Active Directory Federation Services (AD FS), and click Next.• Select the Relying Party Trust that you created in Creating a Relying Party Trust in AD FS and click Next.• Enter a name for this published application. This name is for internal use only.• Enter the external URL that users use to access your RD Gateway/RD Web Access installations. Then, select the

certificate that your RD Gateway uses.• Make sure that the back-end server URL is the same as the external URL, and click Next.• In the confirmation window, click Publish.• In the Results window, click Close to complete the settings in the wizard.

5. Using PowerShell, customize the following settings for the published web proxy using the commands that are listed inthe following table.

Setting Command

DisableHttpOnlyCookieProtection Get-WebApplicationProxyApplication -Name

rdg | Set-WebApplicationProxyApplication

-DisableHttpOnlyCookieProtection

InactiveTransactionsTimeoutSec Get-WebApplicationProxyApplication -Name

rdg | Set-WebApplicationProxyApplication

-InactiveTransactionsTimeoutSec 28800

45

https://support.microsoft.com/en-gb/kb/3000850

https://support.microsoft.com/en-gb/kb/3000850


FS)

Modifying the Remote Desktop Service collectionsComplete the following steps to modify your Remote Desktop Service (RDS) collections:

1. Connect to your RD Connection Broker server, open a PowerShell window, and type the following commands:PS C:\Users\Administrator> Set-RDSessionCollectionConfiguration

-CollectionName QuickSessionCollection -CustomRdpProperty

"authentication level:1:2

>> pre-authrntication server address:s:https://win2k12adfs.

win2012adfs.com/rdweb

>> require pre-authentication:i:1"

46


FS)

2. In the RD Web Access server computer, navigate to C:\Windows\Web\RDWeb\Pages, and edit the Site.xsl file bycommenting-out or deleting the following lines.<td>

<a id='PORTAL_SIGNOUT' href="javascript:onUserDisconnect()"

target="_self">

<xsl:value-of select="$strings[@id = 'SignOut']"/>

</a>

</td>

This edit ensures that a user is forced to close the browser to end the session. Also, the next time that the user logson, the user cannot skip the AD FS page for two-factor authentication.

Setting group policies on Active Directory Domain ServicesComplete the following step to set group policies on the Active Directory Domain Services computer:

1. You can use Group Policy and Active Directory Domain Services to add RD Gateway policy settings.

• From the Group Policy Editor, navigate to Local computer policy > User Configuration > AdministrativeTemplates > Windows Components > Remote Desktop Services > RD Gateway.

• Apply the following Group Policy settings:

GPO Setting Enable/Disable “Allow users to changethis setting” check box GPO Setting Value

Set RD Gateway authenticationmethod

Enabled Unchecked Use locally logged-on credentials

Enable Connection through RDGateway

Enabled Unchecked N/A

Set RD Gateway Server address Enabled Unchecked Provide a dummy value for the settingSet RD Gateway server address.

47


FS)

For more details on Group Policy settings, see the Microsoft Support site.

2. After you update the group policy, the RDP client looks as shown in the following figure.

Testing the configurationComplete the following steps to test the configuration:

1. Access the URL https://<rdweb_FQDN>/rdweb.

2. On the AD FS logon page, enter the user name, password, and security code.

3. On the RD Web Access logon page, enter the user name and password.

When you successfully authenticate and authorize, you can access the published applications.

48


FS)

Publishing the VIP SSP IdP proxy URL with WAP

Complete the following steps to publish the VIP SSP IdP proxy URL with WAP:

1. On the Web Application Proxy server, in the Remote Access Management console, Navigation pane, click WebApplication Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, Welcome page, click Next.

3. On the Pre-authentication page, click Pass-through, and then click Next.

4. On the Publishing Settings page, do the following:

• In the Name field, enter a friendly name for the application. This name is used only in the list of publishedapplications in the Remote Access Management console.

• In the External URL field, enter the external URL for this application. For example, https://<externalurl>/vipssp/.• In the External certificate drop-down list, select a certificate whose subject covers the external URL.• In the Backend server URL field, enter the URL of the back-end server. For example, https://

<VIPSSPIDP_FQDN>:8233/vipssp/. You must use this URL as part of the JavaScript integration.• Click Next.

NOTE

The Backend server value is automatically entered when you enter the external URL. You must changeit only if the back-end server URL is different from the external URL. If the external URL and back-endserver URL do not match, then perform the tasks that are described in https://technet.microsoft.com/library/dn383995.aspx.

5. On the Confirmation page, review the settings, and then click Publish.

6. On the Results page, make sure that the application is successfully published, and click Close.

49

https://technet.microsoft.com/library/dn383995.aspx

https://technet.microsoft.com/library/dn383995.aspx


FS)

Uninstalling the VIP integration module for AD FS

Refer to the appropriate procedures to uninstall the VIP integration module for Microsoft AD FS:

• Uninstalling multi-factor authentication for AD FS for Windows Server 2012• Uninstalling multi-factor authentication for AD FS for Windows Server 2016 and AD FS for Windows Server 2019

After uninstalling the VIP integration module, also uninstall the Health Check Service. See Uninstalling the Health CheckService (Automatic Business Continuity).

Uninstalling multi-factor authentication for AD FS for Windows Server2012Complete the following steps to uninstall VIP Authentication Provider as multi-factor authentication for AD FS for WindowsServer 2012:

1. Ensure that you back up the log files from the install directory.

2. Go to Control Panel > System and Security > Administrative Tools.


4. Right-click on Authentication Policies and select the Edit Global Multi-factor Authentication option.

5. Clear the VIP Authentication Provider check box under Select additional authentication methods and click OK.

6. Go to Control Panel > All Control Panel Items > Programs and Features > Uninstall VIP Authentication ProviderADFS.

NOTE

If the VIP check box is selected even after uninstalling the VIP integration module, you must restart the AD FSservices.

50


FS)

Uninstalling multi-factor authentication for AD FS for Windows Server2016 and AD FS for Windows Server 2019Complete the following steps to uninstall VIP Authentication Provider as multi-factor authentication for AD FS for WindowsServer 2016 and AD FS for Windows Server 2019:



3. In the left navigation pane, click AD FS > Service > Authentication Method. The Authentication Method Overviewpage is displayed.

4. In Primary Authentication, click Edit under Global Settings. The Edit Global Authentication Policy page isdisplayed.

5. Click the Edit link on Multi-factor Authentication Method.

6. In the Edit Authentication Method window, clear the VIP Authentication Provider check box.

7. Click Apply to save the changes.

8. Go to Control Panel > All Control Panel Items > Programs and Features > Uninstall VIP Authentication ProviderADFS.

Uninstalling the Health Check Service (Automatic Business Continuity)Complete the following steps to uninstall Health Check Service:

1. Go to Control Panel > All Control Panel Items > Programs and Features > Symantec VIP Health Check Service.

2. If you uninstall AD FS, make sure to uninstall Health Check Service as well.

51


FS)

Troubleshooting

Table 20: Common issues and solutions

Issues Solutions

In the JavaScript integration, the Don't have asecurity code link is not displayed in the ConfirmYour Identity window.

You must make sure that:• The user in Active Directory has values for email, telephone, and mobile

attributes to perform out-of-band authentication.• VIP SSP IdP is up and running, and is accessible from the user computer.• AD FS VIP certificate is added in SSP IdP under the Trusted Access Setting

configuration in VIP Enterprise Gateway. Use the same VIP certificate as youdo in the VIP integration module for AD FS.See Configuring VIP Authentication Service.

• Time difference between the AD FS server and the SSP IdP server is not morethan 60 seconds.

• The following settings are applied in VIP Enterprise Gateway:– In the User Store tab, click Edit for the relevant User Store.– In the Select Attribute field of the Search Criteria tab, ensure that the

Email, SMS, and Voice check boxes are selected.– In the End User Access Settings sub-tab of the Identity Providers tab,

make sure that the Enable Automatic Distribution option is set to Yes.• If the login ID and the Cloud ID are not the same, ensure that the Cloud ID is

part of the User Store filter in the VIP Enterprise Gateway User Store settings.

AD FS authentication continuously fails due tonetwork latency and you may encounter thefollowing error:Encountered timeout exception

in communicating with VIP

services. The operation has

timed out.

Set the network response to within 10 seconds. If the timeout needs to beincreased, update the default timeout from 10 seconds to the appropriate delay.[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ADFS3.0\VipServicesTimeout]Update the healthcheck.properties file available at C:\Program Files(x86)\Symantec\VIP_Healthcheck_Service\service.healthcheck.connection.timeoutInSeconds=10

When you access the AD FS Single Sign-Onpage after successful authentication, you mayencounter the following error:Server error in the '/'

application.

The requested operation cannot be completed as the computer must be trusted fordelegation, and the current user account must be configured to allow delegation.AD FS must not be configured in the same computer where Active DirectoryDomain Services is configured.

When changing the VIP User ID attribute in VIPIntegration settings, you may encounter the error:Could not change claim type.

For the primary AD FS server:Before you change the VIP User ID attribute, complete the following steps:1. From the AD FS console, go to Authentication Policies, select Edit Global

Multi-factor Authentication, and clear the VIP Authentication Providercheck box.

2. Change the claim type in VIP Integration settings.3. Restart the AD FS server.For the secondary AD FS server:Besides the primary AD FS server, the VIP integration module that is installed onthe secondary AD FS server also displays the error. Do not change the VIP UserID attribute on the secondary AD FS server. The secondary AD FS server inheritsthe VIP User ID attribute from the primary AD FS server.

52


FS)

Issues Solutions

If you have deployed AD FS as an AD FS farmyou may see multi-factor authentication failureswith the following error:An error occurred loading an

authentication provider. Fix

configuration errors using

PowerShell cmdlets and restart

the Federation Service.

Identifier: VIPAuthentication

ProviderWindowsAccountName

Context: Proxy TLS pipeline

Additional Data Exception

details:

The authentication method

SymcVIP.AuthenticationAdapter

WindowsAccountName, VIP

AuthenticationProviderWindows

AccountName, Version=9.8.0.1,

Culture=neutral, PublicKeyToken=

ec9e8e47b18c9ce could not be

loaded. Could not load file or

assembly 'VIPAuthentication

ProviderWindowsAccountName,

Version=9.8.0.1, Culture=

neutral, PublicKeyToken=

ec9e8e47b18c9ce' or one of

its dependencies. The system

cannot find the file specified.

With event ID 105

This failure occurs when different versions of the VIP integration module for AD FSare installed in computers in your AD FS farm.Update all instances of the VIP integration module for AD FS to the sameversion for all computers in the AD FS farm. Download the latest versionof the VIP integration module for AD FS from the Accounts tab of VIPManager (Download Files > Third_Party_Integrations > Plugins >Active_Directory_Federation_Services.zip).

53


FS)

Copyright Statement

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.

Copyright ©2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visitwww.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom doesnot assume any liability arising out of the application or use of this information, nor the application or use of any product orcircuit described herein, neither does it convey any license under its patent rights nor the rights of others.

54

http://www.broadcom.com

Federation Services (AD FS) Symantec VIP Integration Guide ...

Documents

Transcript of Federation Services (AD FS) Symantec VIP Integration Guide ...