Manually Configuring a WS-Federation (AD FS) Provider for Initial Use - Identity and Access Management Services - 3.2 - 3.2 - Other - external

Identity and Access Management Services

Platform
Other
Product
Identity and Access Management Services
Release
3.2
License

This section describes the steps required to manually configure a WS-Federation (AD FS) provider when initially setting up a Hyland IdP server. For additional configuration and ongoing maintenance, see the Configuring the Hyland IdP Server chapter in this module reference guide.

To initially configure a WS-Federation provider:

  1. First complete the main steps under Configuring the Hyland IdP Server for Use With Perceptive before attempting this procedure.
  2. Locate the provider block with the Type value of 5.
  3. Replace the entire Settings block with the following settings block:
    "Settings": {
    "Metadata": "",
    "Realm": "",
    "UserAttributeMapping": {
    "username": "",
    "email": "",
    "realName": "",
    "group": ""
    },
    "StripDomainFromUsername": false,
    "UserProvisioningEnabled": false
    }
    Note:

    Be sure to include the closing } when replacing the settings block.

  4. Update the values of the settings to match your environment:

    Setting

    Description

    Metadata

    Set this option to the URL used to access the metadata about the AD FS server.

    Note:

    This must be a valid URL, it cannot be a UNC path. If the URL used for the metadata value is not accessible, the AD FS provider will fail to load and cannot be used for authentication until the URL becomes accessible.

    Realm

    Set this option to the URL of the requesting realm, which identifies the relying party (RP) to the security token service (STS).

    This is the URL of the Hyland IdP server identified as the relying party on the AD FS server.

    For example, if the root address of the Hyland IdP server is https://server-018.mydomain.net/identityprovider and the tenant name is Company1, then the URL is:

    https://server-018.mydomain.net/identityprovider/Company1

    Note:

    This value is case sensitive and must match exactly the Relying Party Trust identifier URL on the AD FS server.

    UserAttributeMapping

    These settings are used to synchronize user attribute information.

    The schema definitions of the provider responses that contain the account declarations of the user logging in. The following attributes can be synchronized.

    • username: The URI of the claim type in the provider response that contains the user name of the user logging in.

    • email: The URI of the claim type in the provider response that contains the email address of the user logging in.

    • realName: The URI of the claim type in the provider response that contains the real name of the user logging in.

    • group: The URI of the claim type in the provider response that contains the group membership of the user logging in.

    StripDomainFromUsername

    Set this option to true to remove the domain from the user name before it is passed for authentication.

    This setting controls whether to automatically strip the domain from user names that are passed as either domain\username or username@domain. This is useful when providers use a full domain and user name but authenticating system only uses the user name.

    UserProvisioningEnabled

    Set this option to false for Perceptive environments.

  5. Save and close the idpconfig.json file.
  6. Recycle the application pool of the Hyland IdP server for the changes to take effect.