Using ADFS as Primary Authentication into Bitium

Active Directory Federated Server (ADFS) can be used as Primary Authentication into Bitium.

To do this:

  • Add a Relying Party Trust
  • Edit the Claim Rules for the Relying Party Trust
  • Edit the the Claim Rules for the Claims Provider
  • Export the Certificate
  • Configure Bitium SAML Primary Authentication Configuration

In ADFS:

  1. To get started, go to Action -> Add Relying Party Trust.

    App Access

    Add Relying Party Trust

  2. From here, click “Start”.

    App Access

    Start Wizard

  3. Add a Relying Party Trust: Select “Enter data about the relying party manually”, then click “Next”.

    App Access

    Enter data about the relying party manually

  4. Enter a Display name for the Relying “Party Trust”. You can choose any name but it’s best to give it a meaningful name like “Bitium”, then click “Next”.

    App Access

    Display name

  5. Select “AD FS profile”, then click “Next”.

    App Access

    AD FS profile

  6. Skip Configure Certificate selection screen and click “Next”.

    App Access

    Skip

  7. Check “Enable support for the SAML 2.0 WebSSO protocol” and enter the URL from the Bitium SAML Configuration form (Example: https://www.bitium.com/2665/users/sign_in). Note: To find this URL, log in to Bitium and go to: Admin -> Settings -> Primary Authentication -> “Add New Form of Authentication” -> Select “SAML”Find the URL labeled: “Assertion Consumer Service URL”.

    App Access

    Enable support for the SAML 2.0 WebSSO protocol

  8. Add a Bitium identifier, for example: www.bitium.com/2665.

    App Access

    Bitium identifier

  9. Select not to configure multi-factor authentication and click “Next”.

    App Access

    No Multi-factor Authentication

  10. Select “Permit all users to access this relying party”, then click “Next”.

    App Access

    Permit all users to access this relying party

  11. Review your settings and click “Next”.

    App Access

    Review

  12. You can now click “Close” and will either be able to continue the process and Edit the Claims Rules or do that later.

    App Access

    Close

  13. Edit the Claim Rules for the Claims Provider: Right click on the relying party trust that was created in the first step (above) and click “Edit Claim Rules”, then click “Add Rule”.

    App Access

    Edit Claim Rules

  14. Select “LDAP Attributes as Claims”, then click “Next”.

    App Access

    LDAP Attributes as Claims

  15. Enter “LDAP Attributes” as the Claim rule name and select “Active Directory” as the Attribute Store. Select “E-Mail-Addresses” as the LDAP Attribute and “E-Mail Address” as the Outgoing Claim Type. Select “Given-Name” as the LDAP Attribute and “Given Name” as the Outgoing Claim Type. Select “Surname” as the LDAP Attribute and “Surname” as the Outgoing Claim Type. Click “Finish”.

    App Access

    LDAP Attributes

  16. Click on “Add Rule” (for the second time).

    App Access

    Add Rule

  17. Select “Transform an Incoming Claim”, then click “Next”.

    App Access

    Transform an Incoming Claim

  18. Enter “Name ID Transform” as the Claim rule name. Select “E-Mail Address” as the Incoming claim type. Select “Name ID” as the Outgoing claim type. Select Email” as the Outgoing name ID format. Click “Finish”.

    App Access

    Configure Claim Rule

  19. Click “Ok”.

    App Access

    Ok

  20. Edit the Claim Rules for the Claims Provider: In AD FS Management window, expand “Trust Relationship” and Select “Claims Providers Trust”, then click “Add Rule.” Select “Pass Through or Filter an Incoming Claim” as the Claim rule template and click “Next”.

    App Access

    Edit the Claim Rules for the Claims Provider

  21. Enter “Name ID Rule” as the Claim rule name. Select “Name ID” as the Incoming claim type. Select “Email” as the Incoming name ID format. Click “Finish”.

    App Access

    Claim Rule

  22. Export the Certificate: In “AD FS Management” windows, right click on Token-signing certificate and click on “View Certificate”. Go to the Details tab. Click on “Copy to File”. The wizard will start, click “Next”. Select “DER encoder binary X.509 (.CER)” as the format, then click “Next”. Choose location to save your certificate by clicking on “Browse”, select location, then click “Next”. Click “Finish” to end the wizard. Click “Ok” if the export was successful. Use OpenSSL tools or Online SSL service like SSL Shopper (sslshopper.com) to covert the certificate from DER format to PEM format (https://www.sslshopper.com/ssl-converter.html). Select your certificate by clicking “Browse” button. Select “DER/Binary” in the Type of Current Certificate drop down menu. Select “Standard PEM” in the Type to Convert To drop down menu. Click “Convert Certificate”. Open your certificate with a text editor and copy the certificate to text to your clipboard.

  23. ** Configure Bitium SAML Primary Authentication Configuration: ** Log in to Bitium and go to “Manage [ORG]” –> Directories –> “SAML”. Enter your IdP SSO Target Url (typically your ADFS server domain followed by /adfs/ls appended at the end. Example: https://adfs.thedemoco.com/adfs/ls). Select “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” as the Name Identifier format. Paste your certificate with X.509 Certificate file. Enter appropriate User email attribute. (default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress). Enter appropriate User first name attribute. (default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname). Enter appropriate User last name attribute. (default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname). Click “Save”.