Set up ADFS for SAML
Jakarta
This procedure uses ADFS 2.0 and shows samportal.example.com as the ADFS website. Replace this with your ADFS website address.
Before you begin
Procedure
- Log into the ADFS 3.0 server and open the management console.
- Right-click Service and choose Edit Federation Service Properties.
- Confirm that the General settings match your DNS entries and certificate names.
- Browse to the certificates and export the Token-Signing certificate.
- Right-click the certificate and select View Certificate.
- Select the Details tab.
- Click Copy to File. The Certificate Export Wizard opens.
- Select Next.
- Ensure the No, do not export the private key option is selected, and then click Next.
- Select DER encoded binary X.509 (.cer), and then click Next.
- Select where you want to save the file and give it a name. Click Next.
- Select Finish. The instance requires that this certificate be in PEM format. You can convert this certificate using client tools or even online tools such as: SSL Shopper.
- Use the DER/Binary certificate that you just created, and export it in Standard PEM format.
Last Updated: June 15, 2017
Tags: Jakarta, Now Platform Administration, Platform Security
Set up the instance for ADFS
Jakarta
After you set up ADFS 2.0 or 3.0, set up the instance and SAML 2.0 settings to work with ADFS.
Before you begin
Procedure
- If not already active, contact Technical Support to activate the SAML 2.0 Single Sign-On plugin.
- Configure SAML 2.0, but when you install the IdP certificate, attach the PEM certificate you created when you Set up ADFS for SAML.
- Click Save.
- Verify that the Issue and Subject fields have values and that there are no errors. If an error occurs, open the saved PEM formatted certificate in Notepad and copy and paste the certificate into the PEM Certificate field.
- Verify that the SAML2SingleSignon_update1 installation exit is active.
- Continue the SAML 2.0 configuration.Note: When a certificate is updated on the ADFS server, you also need to upload an updated certificate to the instance.
Last Updated: June 15, 2017
Tags: Jakarta, Now Platform Administration, Platform Security
Configure an ADFS relying party
Jakarta
At this point you can take the instance metadata and import it into your ADFS server. However, manual configuration of the relying party appears to be easier to implement.
Before you begin
Procedure
- Navigate to SAML 2 Single Sign-on > Properties and verify that the SAML property Sign AuthnRequest (glide.authenticate.sso.saml2.require_signed_authnrequest) is not active. Only keep this property active if your ADFS administrator can verify that you require signed requests.
- Copy the metadata that you generated through the SAML 2 metadata link and save it to a file.
- Log into the ADFS server and open the management console.
- Select Relying Party Trusts.
- Select Add Relying Party Trust from the top right corner of the window.The add wizard appears.
- Click Start to begin.
- Use the Import File option to import the metadata file.
- Give it a display name such as ServiceNow and enter any notes you want.
- Select ADFS 3.0 Profile.
- Do not select a token encryption certificate. It will use the certificate that is defined on the service that has already been exported. Defining a certificate here will prevent proper communication with the instance.
- Do not enable any settings on the Configure URL.
- Enter the instance site to which you connected as the Relying Party trust identifier. In this case usehttps://company.service-now.com and click Add.
- Permit all users to access this relying party.
- Click Next and clear the Open the Claims when this finishes check box.
- Close this page. The new relying party trust appears in the window.
- Right-click on the relying party trust and select Properties.
- Browse to the Advanced tab and set the Secure hash algorithm to SHA-1.
- Browse to the Endpoints tab and add a SAML Assertion Consumer with a Post binding and a URL ofhttps://company.service-now.com/navpage.do.
Configure ADFS relying party claim rules
Jakarta
Edit the Claim rules to enable proper communication with the instance.
Before you begin
Procedure
- Log into the ADFS server and open the management console.
- Right-click the relying party trust and select Edit Claim Rules.
- Click the Issuance Transform Rules tab.
- Select Add Rules.
- Select Send LDAP Attribute as Claims as the claim rule template to use.
- Give the claim a name such as Get LDAP Attributes.
- Set the Attribute store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
- Select Finish.
- Select Add Rules.
- Select Transform an Incoming Claim as the claim rule template to use.
- Give the Claim a name such as Email to Name ID.
- Set the Incoming claim type to the Outgoing Claim Type in the previous rule. For example, E-Mail Address.
- Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.Note: These values must match the Name ID policy you define during SAML 2.0 configuration.
- Select Pass through all claim values.
This claim rule should look similar to the following rule language.c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
- Click Finish.
Create a SAML logout endpoint
Jakarta
Create a SAML logout endpoint to allow single logout.
Before you begin
About this task
Procedure
- Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.
- Under the Endpoints tab, click Add.
- Configure the settings:
- Endpoint Type: SAML Logout
- Binding: POST
- URL:
https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0
Test the ADFS configuration
Jakarta
Test your ADFS configuration to verify that it is properly functioning as an identity provider.
Before you begin
Role required: admin
Procedure
- Open an Internet Explorer browser.
- Navigate to your ADFS portal. For example,https://samportal.example.com/adfs/ls/idpinitiatedsignon.aspx.
This page contains a drop down list of all configured Relaying Party Trusts.
- Select the relaying party associated with your instance.
- Click Continue to Sign In.
If you have configured the SAML 2.0 external authentication properly, you should be automatically logged into the instance.
- To test a direct login URL, navigate tohttps://samportal.example.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://company.service-now.com.
No comments:
Post a Comment