Efecte Secure Access - Customer instructions for ADFS configuration
Efecte Secure Access - Customer instructions for ADFS configuration
In this article is described instructions how Customer is be able to configure Active Directory (AD) to provide authentication functionalists for Efecte solutions end-users.
This configuration is usually implemented by Customer's AD specialist or Authentication specialist and this should not take more that half a day to implement and test.
Instructions are the same for all Efecte solutions, build on top of Efecte Service Management platform (like for example ITSM, IGA, HR etc.) and which are using Efecte Secure Access component for authentication.
Configure ADFS Authentication
Efecte Secure Access supports Single-Sign-On (SSO) by using ADFS (Active Directory Federation Services) authentication. This means that end-users don't have to sing-in to Efecte Solutions by adding user credentials (username + password), but instead they are authenticated automatically if user is logged in to the AD domain.
How to configure ADFS
1. Open ADFS console
2. Create a rule to Send LDAP Attributes as Claims
Good to Know
Using the Send LDAP Attributes as claims rule template in ADFS, Customer can create a rule that will select attributes from Lightweight Directory Access Protocol (LDAP) attribute store, such as AD, to send as claims to the relying party.
For example, Customer can use this rule template to create a Send LDAP Attributes as Claims rule that will extract attribute values for authenticated users from the displayName and telephoneNumber AD attributes and send those values as two (2) different outgoing claims.
Customer can also use this rule to send all the user's group memberships. If needed, only individual group memberships can be sent by using the Send Group Membership as a claim rule template.
Customer can use following procedure to create a claim rule with the ADFS Management snap-in.
3. Define the Role of the Claims Rule Language
Good to Know
The ADFS claim rule language acts as the administrative building block for the behavior of incoming and outgoing claims, while the claims engine acts as the processing engine for the logic in the claim rule language that defines custom rule.
For more information about Claim Engine, see
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-the-claims-engine
More information about the Role of the Claim Rule Language
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-the-claim-rule-language
4. Edit Rule for passing needed attributes to be sent to Efecte Secure Access
The last row (picture above) shows ADFS side configuration to pass group names to be used as a claim at Efecte Secure Access.