ADFS via SAML

Prerequisites

  1. You must have an Aerofiler subscription that supports ADFS via SAML integration and Aerofiler Support must have enabled the integration for your Account.

  2. You have provided Aerofiler with the URL to download the federation metadata.

  3. Aerofiler has provided you with an xml file which is used in the steps below to configure you Relying Party Trust.

Details

  1. Open “AD FS Management”

  2. Add a new Relying Party Trust:

    1. Click “Add Relying Party Trust” in the Relying Party Trusts section, and configure with the following:

    2. “Claims aware”, then Next

    3. “Import data about the relying party from a file”, and load the file received from Aerofiler, then Next

    4. Enter a suitable Display Name and Notes if necessary, then Next

    5. Choose a relevant Access Control Policy for your organisation’s requirements, then Next

    6. In the “Ready to Add Trust” screen, go to Advanced and ensure SHA-256 is selected as the hash algorithm, then Next

    7. Ensure “Configure claims issuance policy for this application” is selected, then “Close”

  3. Configure Claim Issuance Policy

    1. The “Edit Claim Issuance Policy” window should automatically open, otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules

    2. Add Name ID rule:

      1. In the Claim rule template list, select the “Transform an Incoming Claim” template, and then click Next.

      2. Name the rule

      3. Incoming Claim Type: UPN

      4. Outgoing Claim Type: Name ID

      5. Outgoing Name ID Format: Email

      6. Pass through all claim values (the default)

      7. Click Finish

    3. Click OK to finish creating the rule.

  4. Notify Aerofiler that the setup within your server is complete.

  5. Aerofiler will then enable ADFS via SAML login within your environment.

Appendix - UPN Does Not Match Aerofiler Email Address

If in your Active Directory the UPNs for users do not match the email addresses used as logins within Aerofiler and you wish to use the “E-mail” attribute of a user instead, configure the following rule in additional to the above rule:

Email Rule:

  1. In the Claim rule template list, select the “Send LDAP Attributes as Claims” template, and then click Next.

  2. Name the rule

  3. For Attribute Store, select your Active Directory store

  4. Add the following mapping:

    1. LDAP Attribute: E-Mail-Addresses

    2. Outgoing Claim Type: E-Mail Address

  5. Click Finish

Last updated