Using ADFS as Primary Authentication into Bitium
Active Directory Federated Server (ADFS) can be used as Primary Authentication into Bitium.
To do this:
- Add a Relying Party Trust
- Edit the Claim Rules for the Relying Party Trust
- Edit the the Claim Rules for the Claims Provider
- Export the Certificate
- Configure Bitium SAML Primary Authentication Configuration
To get started, go to Action -> Add Relying Party Trust.
From here, click “Start”.
Add a Relying Party Trust: Select “Enter data about the relying party manually”, then click “Next”.
Enter a Display name for the Relying “Party Trust”. You can choose any name but it’s best to give it a meaningful name like “Bitium”, then click “Next”.
Select “AD FS profile”, then click “Next”.
Skip Configure Certificate selection screen and click “Next”.
Check “Enable support for the SAML 2.0 WebSSO protocol” and enter the URL from the Bitium SAML Configuration form (Example: https://www.bitium.com/2665/users/sign_in). Note: To find this URL, log in to Bitium and go to: Admin -> Settings -> Primary Authentication -> “Add New Form of Authentication” -> Select “SAML”Find the URL labeled: “Assertion Consumer Service URL”.
Add a Bitium identifier, for example: www.bitium.com/2665.
Select not to configure multi-factor authentication and click “Next”.
Select “Permit all users to access this relying party”, then click “Next”.
Review your settings and click “Next”.
You can now click “Close” and will either be able to continue the process and Edit the Claims Rules or do that later.
Edit the Claim Rules for the Claims Provider: Right click on the relying party trust that was created in the first step (above) and click “Edit Claim Rules”, then click “Add Rule”.
Select “LDAP Attributes as Claims”, then click “Next”.
Enter “LDAP Attributes” as the Claim rule name and select “Active Directory” as the Attribute Store. Select “E-Mail-Addresses” as the LDAP Attribute and “E-Mail Address” as the Outgoing Claim Type. Select “Given-Name” as the LDAP Attribute and “Given Name” as the Outgoing Claim Type. Select “Surname” as the LDAP Attribute and “Surname” as the Outgoing Claim Type. Click “Finish”.
Click on “Add Rule” (for the second time).
Select “Transform an Incoming Claim”, then click “Next”.
Enter “Name ID Transform” as the Claim rule name. Select “E-Mail Address” as the Incoming claim type. Select “Name ID” as the Outgoing claim type. Select Email” as the Outgoing name ID format. Click “Finish”.
Edit the Claim Rules for the Claims Provider: In AD FS Management window, expand “Trust Relationship” and Select “Claims Providers Trust”, then click “Add Rule.” Select “Pass Through or Filter an Incoming Claim” as the Claim rule template and click “Next”.
Enter “Name ID Rule” as the Claim rule name. Select “Name ID” as the Incoming claim type. Select “Email” as the Incoming name ID format. Click “Finish”.
Export the Certificate: In “AD FS Management” windows, right click on Token-signing certificate and click on “View Certificate”. Go to the Details tab. Click on “Copy to File”. The wizard will start, click “Next”. Select “DER encoder binary X.509 (.CER)” as the format, then click “Next”. Choose location to save your certificate by clicking on “Browse”, select location, then click “Next”. Click “Finish” to end the wizard. Click “Ok” if the export was successful. Use OpenSSL tools or Online SSL service like SSL Shopper (sslshopper.com) to covert the certificate from DER format to PEM format (https://www.sslshopper.com/ssl-converter.html). Select your certificate by clicking “Browse” button. Select “DER/Binary” in the Type of Current Certificate drop down menu. Select “Standard PEM” in the Type to Convert To drop down menu. Click “Convert Certificate”. Open your certificate with a text editor and copy the certificate to text to your clipboard.
** Configure Bitium SAML Primary Authentication Configuration: ** Log in to Bitium and go to “Manage [ORG]” –> Directories –> “SAML”. Enter your IdP SSO Target Url (typically your ADFS server domain followed by /adfs/ls appended at the end. Example: https://adfs.thedemoco.com/adfs/ls). Select “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” as the Name Identifier format. Paste your certificate with X.509 Certificate file. Enter appropriate User email attribute. (default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress). Enter appropriate User first name attribute. (default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname). Enter appropriate User last name attribute. (default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname). Click “Save”.