AE initiated SSO with ADFS using SAML

ADFS Identity Provider supports OpenID Connect and SAML protocols. In the topic, you’ll learn the configurations to set up AutomationEdge SSO with ADFS using the SAML protocol. In addition, you’ll understand how to get the required parameters for AutomationEdge – Keycloak Single Sign-On Settings.

Get the following parameters from the IDP configuration:

• Identity Provider Metadata (store in descriptor.xml)
• Client ID
• Redirect URIs

In addition, for IDP SSO configurations you need:

• Keystore file, Keystore Alias, Keystore Password
• Certificate file (.crt)

Note:

To generate Self Signed or CA Certificate, see Keystore and Certificate Generation.

To configure ADFS for SAML:

1. In Windows Server 2016, go to the Server Manager section and click the Tools tab. In the Tools tab, select AD FS Management.

   

2. Under the ADFS folder, right-click on Relying Party Trusts and select Add Relying Party Trust….

   

3. In the Add Relying Party Trust Wizard:

   1. Click Claims aware and then click Start.

      

   2. In the Select Data Source section, select Enter data about the relying party manually and then click Next.

      

   3. In the Specify Display Name section, enter the display name for the relying party trust name, which will display after the configurations, and then click Next.

      
      Note:

      In the Configure Certificate section, click Next, as you’ll configure the certificate later.

   4. In the Configure URL section:

      • Select Enable support for the SAML 2.0 WebSSO protocol.
      • In service URL, enter the redirect URL. If you are using AE redirect URL, then ensure you are using https because ADFS needs secure communication. For example, https://Automationedge:Port/aeui/index.jsp.
      • Click Next.
      

   5. In the Configure Identifiers section, enter the same relying trust display name, and then click Add. The display name is added to the Relying party trust identifier field.

      

   6. Click Next. In the Choose Access Control Policy section, select the access control policy that you want to use. Select Permit everyone policy.

      

   7. Click Next. In the Ready to Add Trust section, review the settings and click Next.

      

   8. In the Finish section, as we still need to configure claims and upload a certificate, select Configure Claims issuance policy for the application checkbox.

      

   9. Click Close. The wizard is closed.

4. Add Claim Issuance Policy

   1. Add claims for the party trust. Highlight your party trust and click Edit Claim Issuance Policy.

      

   2. On the Issuance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard appears.

      

      • Rule 1

        In the Select Rule Template window, select Send LDAP Attributes as Claims from the Claim rule template list, and click Next.

        

        In the Attribute store list, select Active Directory and enter a name for the claim in Claim rule name box.

        

        Use the following attribute mapping:

        LDAP Attribute	Outgoing Claims
        User-Principal-Name	username
        E-Mail-Addresses	emailAddress
        Given-Name	firstName
        Surname	lastName

        Click Finish.

      • Rule 2

        Add another claim for the party trust. Follow step 4 (i) and (ii).

        In the Select Rule Template window, select Transform an Incoming Claim from the Claim rule template list, and click Next.

        

        Select the following field details:

        • Incoming claim type: UPN

        • Outgoing Claim type: Name ID

        • Outgoing name ID format: Transient Identifier

          

        Click Finish. You can see the two rules you created.

        
   Note:

   You can edit the rules, if required.

5. Upload RSA Certificate for Relying Party Trust

   1. Open the Windows Server Manager console and open the ADFS tool. Right-click on your Relying Party Trust and select Properties.

      

   2. Click the Signatures tab. In the tab view, click Add and browse for the RSA certificate.

      Note:

      To generate Self Signed or CA Certificate, see Keystore and Certificate Generation.

      

   3. The RSA certificate is uploaded and then click Apply. The certificate is applied.

      

6. Endpoints

   1. Click the Endpoints tab and click Add SAML....

      

   2. Select the endpoint type to SAML Logout, under binding go for post. Internally we are using post binding for logout requests.

      For the Trusted URL, create a URL using:

      • The web address of your AD FS server
      • The ADFS SAML endpoint you noted earlier
      • The string '?wa=wsignout1.0'

      For example, the URL can be: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0

      In the response URL section, specify the redirect after logout, for example, https://automationedge.port/aeui/logout.jsp

   3. Click OK. The Endpoints configuration appears as follows:

      

   4. Click Add WS-Federation.

      

   5. Add https://sso.yourdomain.tld/adfs/ls/ as a trusted URL and click OK.

      

   6. In the Advanced tab, make sure SHA-256 is specified as the secure hash algorithm.

      

7. Upload RSA certificate in AD FS:

   Note:

   To generate Self Signed or CA Certificate, see Keystore and Certificate Generation.

   1. On AD FS console lookout for Certificate and move on to Add Token Signing Certificate. Upload the certificate.

   2. If there are multiple certificates uploaded, mark an appropriate certificate as the primary certificate for signing. Right-click on the Certificate and select the option ‘Set as Primary’.

      

8. descriptor.xml:

   1. To get descriptor.xml, you need to open PowerShell and type the following command:

      Get-AdfsEndpoint

   2. Scroll a little and search for Protocol: Federation Metadata.

   3. Copy the Full URL and paste it into the browser for federation details. Copy the XML data into a file and save it as descriptor.xml.

   4. Single Sign-on configuration in AutomationEdge requires descriptor.xml.

      

9. Create User

   1. You may use an existing user or create a new user mapped with AutomationEdge user for SSO.

   2. In Windows Server Manager under Tools, select Active Directory Users and Computers.

      

   3. Configure the new user with General and Account tabs as displayed in the following image:

      

AutomationEdge SSO Configuration

1. Single Sign-On is configured under the AutomationEdge Settings tab, as follows:

   
   Note:

   To generate Self Signed or CA Certificate, see Keystore and Certificate Generation.

2. An AutomationEdge SSO user is visible as seen in the following image:

   

3. On the AutomationEdge login page, click Sign In with SSO.

4. Specify the organization code as follows:

   

5. It takes you to the ADFS login page the first time you log in.

6. The AE Home page appears after logging on.