Liquidfiles SSO can be configured to work with Active Directory and AD FS server. LiquidFiles will work
as a Service Provider (SP) and AD FS server will represent Identity Provider (IdP). In this how-to AD FS
will be served by W2012 R2 server standard edition.
W2012 R2 standard
Active directory domain service
Certificate (or self signed certificate, which is used in this demo)
AD FS - Active Directory Federation Service implemented in the W2012 server
Optionally IIS* (I used IIS manager > your server > Server certificates tool to
generate self signed certificate for this how-to. When you have a signed certificate by some CA you don’t
need IIS and its tools)
Check your time and timeservers on your LF appliance and Windows server
NOTE to AD FS versions
Windows W2008 server supports AD FS 2.0. W2012 server supports AD FS 2.1. W2012R2 supports AD FS 3.0.
The implemented SAML version remains same on v2.0 for this mentioned windows servers.
From LiquidFiles perspective the configuration of SSO works same for all AD FS ver>=2.0 and principle
of configurations SAML2.0/SSO are quite similar on this Windows server releases.
*) In W2012R2 you do not need IIS with AD FS 3.0 everything is now stored in the file http.sys which
is based on the configuration/technology from TMG
1. W2012 R2 server preparation for SSO
At this point I expect you have set up Active directory domain, DNS and optionally IIS* services are
running. A certificate (or self signed certificate) should be installed as well.
1.1 Installation of AD FS instance
At first install AD FS instance on your server. Click Server Manager > Dashboard > Add roles and features Follow pictures from Pic. 1 to Pic. 9
1.2 Configuration of AD FS
In this part we provide a configuration of AD FS/SSO service as an IdP for SP which is a Liquidfiles
appliance. Open Server Managementand click AD FS > More >
Configure the federation service as showed on Pic. 10.
1.3. Adding a Relay Party Trust
At this point you should be ready to set up the AD FS connection with your Liquidfiles appliance.
The connection between ADFS and Liquidfiles is defined using a Relying Party Trust (RPT).
Select the Relying Party Trusts folder from AD FS Management
and add a new Standard Relying Party Trust from the Actions
sidebar. This starts the configuration wizard for a new trust. See Pic. 20
1.4 Creating claim rules
After adding the relying party trust, the wizard will ask you to configure the claim rules. You can also
reconfigure later by doing right click on the relying party section and selecting the menu
Edit Claim Rules. Click Add Rules and select
Send LDAP Attribute as Claims and select Active Directory
as Attribute store. Configure E-Mail-Addresses to map to Outgoing claim type
E-Mail Address. (follow Pictures Pic. 32 – 33)
Optionally you can pass Given-Name and Surname from AD
to LiquidFiles appliance. When users are logged in first time their accounts are created with this credentials
as well. LiquidFiles is expecting Given-Name and Surname
parameters in the mappings as User.FirstName and User.LastName.
Next select Transform an Incoming Claim as the claim rule template to use. Give
it a name such as NameID. Incoming claim type should be
E-mail Address (it must match the Outgoing Claim Type in rule #1.
The Outgoing claim type is Name ID (this is requested in ServiceNow policy
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and the Outgoing name ID
format is Email. Pass through all claim values and click Finish.
(See Pic. 34 - 36)