AcademyCustomer Portal

ADFS

This article outlines the configuration and setup process for Active Directory Federation Services (ADFS) in a Windows environment. ADFS enables secure federated identity and access management by sharing digital identities and entitlement rights across security and enterprise boundaries. It extends single sign-on capabilities to Internet-facing applications, ensuring a seamless and secure authentication experience.

This document includes prerequisites, configuration procedures for ADFS, Directory Services, Federation Services, and Relying Party Trusts, as well as initial login instructions and troubleshooting guidance for common deployment issues.

Purpose of the document

The purpose of this document is to provide clear, detailed, and professional guidance for configuring ADFS and DSFS to enable secure federated identity management and single sign-on (SSO) functionality for web-based applications.

Prerequisites

Requirement
Details

ADFS Setup

Active Directory Federation Services must be installed and operational.

Windows Server Access

Administrative privileges are required

Ensure the server is up to date with the latest security patches before proceeding.

Directory Service Configuration

Create Domain Users

  1. Open Active Directory Users and Computers on the Windows server.

  2. Navigate to the domain and click User.

  3. Enter the required user details.

  4. Add an email address for the domain user.

  5. Click Apply, then OK.

  6. Organize users into groups as needed.

Ensure usernames and email addresses follow the organization's naming conventions to avoid authentication issues.

Federation Service Configuration

Access ADFS Management

  1. Open Administrative Tools from the Start menu.

  2. Click ADFS Management.

Download Federation Metadata

  1. Go to Service > Endpoints.

  2. Locate the metadata endpoint.

  3. Append the path with HTTPS and the ADFS server hostname or IP.

Example:

https://<ADFS-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml

  1. Download the FederationMetadata.xml file.

The metadata URL must be accessible externally if required for integration with external systems.

Import Signing Certificate

  1. Obtain the signing certificate file ADFScert.cer.

  2. Import it into the Tomcat SAML keystore using:

keytool -importcert -trustcacerts -alias "adfs" -keystore "C:\path\to\cacerts" -file <path-to-adfs_onprem.cer>

Back up the keystore before making changes to prevent loss of critical certificates.

Configure Oasis Properties

Property
Value

samlHTTPMetadataProvider

Specify the appropriate URL or metadata source

entityBaseURL

Application deployment path

File Location:

/home/<client>/path/to/extprop/oasis.properties

  • After updating, save the file.

Security Type Configuration

Windows Configuration

  1. Open tomcat9w.exe.

  2. Go to Java Options.

  3. Add the following parameter:

-DOVALEDGE_SECURITY_TYPE=saml

Linux Configuration

  1. Edit the setenv.sh file located at:

/home/<username>/tomcat_homepath/bin/setenv.sh

  1. Add:

export CATALINA_OPTS="-DOVALEDGE_SECURITY_TYPE=saml"

  1. Save the file and grant execute permission.

  2. Restart Tomcat.

A restart is required for changes to take effect.

Relying Party Trust (ADFS) Configuration

Add SAML Metadata

  1. Navigate to Relying Party Trust in ADFS.

  2. Click Start and add the SAML Metadata for the application.

  3. The metadata URL can be accessed as:

/home/<username>/tomcat_homepath/bin/setenv.sh

  1. Import the metadata and click Next.

  2. Specify the Display Name, and click Next.

  3. Select the Access Control Policy, and click Next.

  4. Click Next and finish the wizard.

Ensure the application URL is accessible before importing metadata.

Configure Advanced Settings

  1. Double-click on the added Relying Party Trust.

  2. Open the added Relying Party Trust.

  3. Select the Advanced tab.

  4. Change Secure Hash Algorithm to SHA1 from SHA256.

  5. Click Apply, then OK.

Edit Claim Issuance Policy

  1. Select the configured Relying Party Trust and click Edit Claim Issuance Policy.

  2. Add a new rule using Send LDAP Attributes as Claims.

  3. Let the Claim Rule Template be sent to the LDAP Attribute as Claims, and click on Next.

  4. Specify the Claim Rule Name, and select Active Directory as the Attribute Store. Add the Attributes as given in the image below and click on Finish.

  5. An alternative approach is to use the SAML Account Name if it is not available.

  6. Click on Apply and OK.

  7. Configure attributes as per application requirements.

Example Attribute Mapping:

LDAP Attribute
Outgoing Claim Type

SAM-Account-Name

Name ID

E-Mail-Addresses

E-Mail Address

Initial Login and Setup

  1. Access the application web URL through a browser.

  2. Log in using domain admin credentials.

At least one user must have the OE_ADMIN role. This must be updated in the database before the initial login.

Troubleshooting

Issue 1: No assertions found in the response

Solution:

  1. Open PowerShell on the ADFS server.

  2. Run:

Set-ADFSRelyingPartyTrust -TargetName <targetName> -SamlResponseSignature "MessageAndAssertion"

Replace <targetName> with the Display Name of the Relying Party Trust.

PreviousAuthentication & SSO SetupNextGitHub

Last updated

Was this helpful?