Skip to main content
Skip table of contents

SAML Configuration for Microsoft AD FS

LAST UPDATED: DEC 02, 2024

Overview

This guide provides step-by-step instructions for configuring SAML authentication between Microsoft Active Directory Federation Services (AD FS) and D3 vSOC. It includes setting up the SAML app in Microsoft AD FS, creating and assigning users, and enabling login via Microsoft AD FS to D3 vSOC.

Prerequisites

To enable single sign-on (SSO) through AD FS, follow these steps:

Procedure

Configuring SAML in Microsoft AD FS

  1. Navigate to the Control Panel within the AD server, then click on the System and Security category.

    Frame 1 (34)-20241202-220210.png

  1. Click on the Administrative Tools sub-category.

    Frame 2 (35)-20241202-220611.png

  2. Double-click AD FS Management. If it is not visible, refer to the Prerequisites section to ensure the AD FS service is installed correctly.

    Frame 3 (33)-20241202-220753.png

  3. Click on the Action menu, then click on the Add Relying Party Trust menu option.

    Frame 5 (21)-20241202-222041.png

  4. Ensure that the Claims aware radio option is selected, then click on the Start button.

    Frame 6 (27)-20241202-222339.png

  5. Select the Enter data about the relying party manually radio option, then click on the Next button.

    Frame 7 (34)-20241202-222558.png

  6. Input an appropriate name for the SAML application.

    Frame 8 (32)-20241202-222758.png

  7. Click on the Next button.

    Frame 9 (33)-20241202-222929.png

  8. Select the checkbox labeled Enable support for the SAML 2.0 WebSSO protocol, enter the D3 login URL in the Relying party SAML 2.0 SSO service URL field (ensuring it includes Login.aspx), then click the Next button.

    Frame 10 (27)-20241202-223222.png

  9. Enter the D3 vSOC login URL into the Relying party trust identifier field (excluding Login.aspx), then click the Add button.

    Frame 11 (26)-20241202-223604.png

  10. Click on the Next button.

    Frame 12 (27)-20241202-223745.png

  11. Click on an access control policy in the Access Control Policy setting to restrict access, then click on the Next button. By default, access is permitted for everyone.

    Frame 13 (29)-20241202-224241.png

  12. Click on the Next button.

    Frame 14 (31)-20241202-224650.png

  13. Click on the Close button to finish, and render a Edit Claim Issuance Policy for <SAML Application Display Name> popup.

    image-20241202-224821.png
Alternate Method to Access the Edit Claim Issuance Policy for <SAML Application Display Name> Popup

The Edit Claim Issuance Policy for <SAML Application Display Name> popup can also be accessed through the Relying Party Trusts folder.

Frame 31 (7)-20241203-013917.png

  1. Click on the Relying Party Trusts folder.

  2. Select the application for which the claim issuance policy needs to be edited.

  3. Click on the Edit Claim Issuance Policy option on the right.

  1. Click on the Add Rule button within the Edit Claim Issuance Policy for <SAML Application Display Name> popup.

    Frame 16 (19)-20241202-225229.png

  2. Select Send LDAP Attributes as Claims for the Claim rule template, then click on the Next button.

    Frame 17 (15)-20241202-225512.png

  3. Enter a claim rule name, select the Active Directory attribute store, then select User-Principal-Name LDAP attribute and the Name ID outgoing claim type.

    Frame 18 (16)-20241202-230840.png

  4. Click on the Finish button.

    Frame 19 (14)-20241202-230942.png

  5. Click on the OK button to close the pop up window.

    Frame 20 (15)-20241202-231121.png

  6. View the certificate.

    Frame 30 (7)-20241203-011301.png

    1. Click on the Service folder under AD FS.

    2. Click on the Certificates folder.

    3. Right click on the certificate under the Token-signing section.

    4. Click on the View Certificate option within the popup.

  7. Click on the Details tab.

    Frame 22 (12)-20241202-232305.png

  8. Click on the Copy to File button.

    Frame 23 (22)-20241202-232806.png

  9. Click on the Next button.

    Frame 24 (20)-20241202-232921.png

  10. Select the Base-64 encoded X.509 (.CER) radio option, then click on the Next button.

    Frame 25 (17)-20241202-233143.png

  11. Select a file path to export the certificate, then click on the Next button.

    Frame 26 (15)-20241202-233329.png

  12. Click on the Finish button.

    Frame 27 (6)-20241202-233518.png

  13. Open the certificate at the saved path.

    Frame 28 (8)-20241202-233906.png

READER NOTE

Before proceeding, ensure that you have:

  • Created D3 user accounts (Organization Management > Users > + Add Users)

  • Reviewed the procedure for adding a new login method. Your new Microsoft AD FS SAML login method must to be assigned to the appropriate D3 user accounts (Application Settings > Login Authentication > Users) after step 28 below.

  1. Input the Certificate into D3 vSOC.

    Frame 11 (20)-20241023-030817.png

  2. Input the Target URL into D3 vSOC. It is a URL in the following format:
    https://<domain>/adfs/ls/idpinitiatedsignon.aspx

    Frame 12 (21)-20241023-031037.png

  3. Input the Assertion Consumer Service URL into D3 vSOC. This is the D3 login URL in the format: https://<domain>/<path>/VSOC/Login.aspx

    Frame 12 (21)-20241023-031037.png

Login to D3 vSOC via Microsoft AD FS

  1. Navigate to https://<domain>/adfs/ls/idpinitiatedsignon.aspx.

  2. Sign in.

    Frame 29 (10)-20241203-004810.png

After successfully logging in to Microsoft AD FS, the user will be redirected to D3 vSOC.

Frame 15 (24)-20241023-032501.png

 

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close