Adding a Relying Party Trust for WS-Federation (AD FS) - Identity and Access Management Services - 3.0 - 3.0 - Other - external

Identity and Access Management Services

Platform
Other
Product
Identity and Access Management Services
Release
3.0
License

The following instructions refer to third-party software and are included for illustration purposes only. Detailed instructions on how to configure AD FS and use the Add Relying Party Trust Wizard are available from Microsoft.

Note:

The Hyland Identity Provider (IdP) does not support encrypted claims or tokens with AD FS. Configuring a Token Encryption Certificate on the Relying Party Trust for use with the Hyland IdP server is not supported.

  1. Access the Add Relying Party Trust Wizard on the AD FS server.
  2. Under data source configuration, select the option to enter data about the relying party manually.
  3. Name the trust with a specific name that clearly identifies what resource this trust is for.
  4. When prompted to choose an AD FS profile, select the latest available profile for your version of AD FS.
  5. Under URL configuration, select the option to enable support for the WS-Federation Passive protocol.
  6. Enter the URL of the Hyland IdP server as the relying party WS-Federation Passive protocol URL. For example, if the Hyland IdP server is installed as the identityprovider application under the https://server-018.mydomain.net domain, then the passive protocol URL is:
    https://server-018.mydomain.net/identityprovider
  7. Under identifiers configuration, add the same URL you configured as the relying party WS-Federation Passive protocol URL, but include the tenant in the path. For example, if the passive protocol URL is https://server-018.mydomain.net/identityprovider and the tenant is Company1, then the identifier URL is:

    https://server-018.mydomain.net/identityprovider/Company1

    Note:

    This value is case sensitive and must match exactly the URL value of the Realm configured for the provider on the Hyland IdP server.

  8. Permit all users to access this relying party for the issuance authorization rules.
    Note:

    AD FS 3.0 includes multi-factor authentication. Multi-factor authentication is supported by OnBase and there are currently no additional configuration steps needed to integrate multi-factor authentication with OnBase.

  9. After configuring the relying party you must add a claim rule.
    Note:

    All listed claims must be configured with a claim rule in order to enable proper authentication.

  10. Select Send LDAP Attributes as Claims rule template for the rule type.
  11. Give the claim rule a descriptive name.
  12. Select Active Directory as the attribute store.
  13. Use the following table to map the LDAP attributes to outgoing claim types:

    LDAP Attribute

    Outgoing Claim Type

    User-Principal-Name

    Name ID

    Display-Name

    Name

    E-Mail-Addresses

    E-Mail Address

    Token-Groups - Unqualified Names

    Role