Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Before you start

This form is for Ideagen Luminate feedback only.

Your submission will not receive a response. To request solution support, open a ticket with us.

New article Recently updated

Setting up ADFS for integration

By Abi Davies
  • Last updated
⌘ K
Search this article
Print this article
Who is this article for?

IT Personnel who want to learn to set up ADFS for Lucidity integration.

Administrator permissions are required.

This guide helps IT Administrators set up Active Directory Federation Services (ADFS) for integration with Lucidity Software Products.

  1. Authentication
    1. Terminology
  2. ADFS setup process
  3. Troubleshooting
  4. Further reading

1. Authentication

  1. Normal Authentication: User enters username and password stored in Lucidity Access.

  1. ADFS Authentication:
    • Option 1: User clicks Login button.
      • Scenario A: User logged into network domain (automatic authentication).
      • Scenario B: User not logged in (enters domain credentials).

 

    • Option 2: User clicks Login with non-domain credentials.
      • Enters username and password stored in Lucidity Access.

Important: Users must be authenticated against the local network domain for ADFS to function. Usernames must match in both Active Directory and Lucidity Access. A non-domain login option is available for off-network access.

1.1. Terminology

  • IdP: Identity Provider
  • SP: Service Provider
  • Relying Party: Microsoft's terminology for SP
  • idp-instance-url: Web-accessible HTTPS path to ADFS IdP instance

Video: https://youtu.be/fwHIKlAPV0g

2. ADFS setup process

  1. Install AD CS (IdP)
    • Install Active Directory Certificate Service.
    • Create a Certificate Authority for the machine.
  2. Create a signing certificate
    1. Create a domain name (e.g., adfs.yourdomain.com).
    2. Use this as "Common name" and "Friendly name" in the certificate.
  3. Install AD DS (IdP)
    • Install Active Directory Domain Services.
    • Create a test user with username, password, email, and name.
  4. Install ADFS (IdP)
    • Download ADFS from Microsoft's website (http://www.microsoft.com/en-us/download/details.aspx?id=10909).
    • Install using AdfsSetup.exe (not via Server Roles).
    • Configure ADFS, ensuring the instance URL matches the friendly name
  5. Provide URL to Lucidity
    • Send the ADFS authentication URL to your Lucidity contact.
    • Lucidity will provide a URL for the next step.
  6. Add Relying Party (IdP)
    • Access the URL provided by Lucidity in Internet Explorer.
    • If you receive a certificate error, install the certificate to the Trusted Root Authority store.
  7. Copy Metadata
    • Copy the Entity ID URL from the SAML 2.0 SP Metadata section.
    • In ADFS console, add a new Relying Party Trust using this URL.
    • Complete the Relying Party wizard.
  8. Configure Claim Rules (IdP)
    • Edit Claim Rules for the new Relying Party
    • Add three Claim Rules:
      • Outbound LDAP claim:

Outbound LDAP Claim: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,userPrincipalName,displayName;{0}", param = c.Value);
    • Unique Identifier (custom rule):

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
=> add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);
    • Incoming transform:

c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
  1. Test Authentication
    • Navigate to the SimplesamlPHP URL provided by Lucidity.
    • Test login with the user created.

3. Troubleshooting

  • Ensure certificates match the specified URLs.
  • Verify that requests originate from and are sent to the exact addresses in metadata.
  • Use HTTPS for all requests.
  • Check that both the SimplesamlPHP URL and ADFS instance URL are trusted in IE settings.
  • For non-IE browsers or machines not on the ADFS domain, you may be prompted for user credentials.

4. Further reading

  •  

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page