Installing and Configuring Adfs for Mesdp on Demand

ZOHOCORP

Installing and configuring AD FS 2.0 to

work with ManageEngine SDP On-Demand Step by Step Guide

ManageEngine On-Demand

5/12/2011

This document contains the steps for installing and configuring AD FS 2.0 to work with ManageEngine

ServiceDesk Plus On-Demand.

Step by Step Guide to installing and configuring AD FS 2.0 with ManageEngine SDP On-Demand

2

Note: Screenshots contain the following:

Verified primary domain name: pmp.com

AD FS 2.0 installed on system: pmp-w2k8

Double-click the downloaded ADFSSetup.exe Click Next


3

Accept the License Agreement and click Next


4

Select 'Federation Server' and click Next


5

Click Next


6

'Un-Select' the checkbox 'Start the AD FS 2.0 ...' and then click 'Finish'


7

Go to C:\Program Files\Active Directory Federation Services 2.0 directory and edit the file “Microsoft.IdentityServer.ServiceHost.exe.config” using “wordpad”


8

Insert a line <generatePublisherEvidence enabled=”false” /> as seen above. Save and Exit wordpad


9

Double click on FsConfigWizard.exe


10

Select “Create a new Federation Service” and click “Next”


11

Select “Stand-alone Federation server” and click Next


12

Federation Service name will be shown by default based on the SSL Certificate installed on the IIS Server. Click 'Next'


13

If “Delete database” option is shown, then “Select” it and click 'Next


14

Click Next


15

The Wizard will complete the configuration as shown below.


16

Go to Start Menu → Administrative Tools → AD FS 2.0 Management


17

Right-click on 'AD FS 2.0' and click 'Edit Federation Service Properties'


18

Edit Federation Service name and identifier so as to not contain any domain component. For e.g., we have removed “pmp.com” domain component and have set the Federation service name and identifiers as just “pmp-w2k8”


19

Right click on 'Trust Relationships' and click on 'Add Relying Party Trust'


20

Click 'Start


21

Select “Enter data about the relaying party manually”


22

Type the Display name as “zoho.com”. Click Next


23

Select AD FS 2.0 profile and click Next


24

Click Next


25

1. Select “Enable support for the SAML 2.0 WebSSO protocol” 2. Enter the Relying party SAML 2.0 SSO service URL as : https://accounts.zoho.com/samlresponse/<your_verified_primary_domain> 3. Click Next


26

1. Enter the Relying party trust identifier as “zoho.com” 2. Click Add


27

Click Next


28

Select “Permit all users to access this Relying party” and click Next


29

Click Next


30

“Un-Select” the “Open the Edit Claim Rules...” checkbox and click Close


31

Right-click on zoho.com and click Properties


32

Click the “Advanced” tab and change the Secure hash algorithm as “SHA-1”


33

Right-click on zoho.com and click “Edit claim Rules”


34

In the “Issuance Transform Rules” tab click “Add Rule”


35

Select “Send Claims Using a Custom Rule” and click Next


36

Enter the Claim rule name as “windowsaccountname”. Copy paste the following code and click Finish c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = "sAMAccountName={0};mail;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);


37

Again click “Add Rule”


38

Select “Send Claims Using a Custom Rule” and click Next


39

Enter the Claim rule name as “email”. Copy paste the below code and click Finish c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue( Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");


40

Go to Certificates node. Right-click on the “Token-signing” certificate and click “Show Certificate”


41

Click the “Details” tab and click “Copy to File”


42

Click “Next”


43

Select “No, do not export the private key” and click Next


44

Select “Base-64 encoded X.509 (.CER)” and click Next


45

Give a file name where the certificate will be exported. Click Next. This certificated is later needed during SAML configuration.


46

Click Finish


47

Edit web.config present in C:\inetpub\adfs\ls directory


48

Make sure Forms Authentication is configured as the first one in <localAuthenticationTypes> and then Save the file


49

Logout.aspx

1. Open Notepad 2. Copy and paste the following code 3. File ---> Save As ---> C:\inetpub\adfs\ls\Logout.aspx <%@ Page Language="C#" %> <% Response.CacheControl="no-cache"; %> <% Response.AddHeader("Pragma","no-cache"); %> <% Response.Expires = -1; %> <% FormsAuthentication.SignOut(); int count = Request.Cookies.Count; for(int i = 0 ; i < count ; i++) { System.Web.HttpCookie obj = Request.Cookies[i]; obj.Expires = DateTime.Now.AddDays(-1); obj.Value = ""; obj.Path = "/adfs/ls"; Response.Cookies.Add(obj); } string serviceURL = Request["serviceurl"]; Response.Redirect(serviceURL); %>

Installing and Configuring Adfs for Mesdp on Demand

Documents

Transcript of Installing and Configuring Adfs for Mesdp on Demand