Active Directory Federation Service(ADFS) Single Sign On for AWS Connect (v7)

Owned by Gary Zhang (Unlicensed)
Last updated: Nov 27, 2019
4 min read

eMite ADFS Integration Overview


The Active Directory Federation Service (ADFS) provides users with single-sign-on access to the eMiteDashboard (SP) through client’s own authentication web page (IP) in their ADFS server accross organizational boundaries.

It uses a claims-based access-control authorization model (the eMite uses extra claim to get a user group information) to maintain application security and to implement federated identity. In ADFS,the identity federation is established between two organizations by establishing trust between two security realms. It is also widely used for Active Directory Integration for cloud. Since the pass through authentication is supported in the ADFS server, a user will be able to log in with typing ID and Password.

    

Prerequisites


  1. ADFS 3.0.
  2. 80 and 433 port need to be open to access the ADFS Authentication page in the ADFS server.

  

ADFS Setup Process


1. Open the Server Manager and click the AD FS Management tool in the menu items.

2. Add a Relying Party Trust.

 

3. Select the “Enter data about the relying party manually” and press the “Next” button.

 

4. Type a display name. 

5. Press the next for an optional token encryption certificate.

6. Tick the “Enable support for the WS-Federation Passive protocol” and enter the "Relying party WS-Federation Passive protocol URL" provided by us. It's located under the hyperlink of this guide.

7. Click Next

8. Press the “Next” button.  Skip configuring MFA.

9. Review the setting and press the “Next” button.

10. Close the “Wizard”.

11. Right click the created Party Trust and click “Edit Claim Inssurance Policy”. Press the “Add Rule” button.

12. Select LDAP as the choice, and hit the “Next”.

13. Choose the “Active Directory” as the “Attribute Store”, and map the following LDAP attributes to the “Outgoing Claim Types”


LDAP Attribute

Outgoing Claim Type

SAM-Account-Name *

Name

User-Principal-Name ***

UPN

Token-Groups-Qualified by Long Domain Name**

Group

  • SAM-Account-Name  is unique among all security principal objects within the domain.

    ** Token-Groups-Qualified by Long Domain Name is required to get a unique domain name.

    *** User-Principal-Name is unique value within multiple domain.

    

Data to be sent to eMite


Please collect below info and enter into the form which is in step "2.3 Send Data to eMite"

Federation Service Identifier

Right-click "AD FS". Then, you can find the "Federation Service Identifier" in the popup.


Relying Party Identifier

Click "Relying Party Trusts". Then, right-click the one you created in the previous section.


You can find the "Relying Party Identifier" on the "Identifier" tab.


Certificate Thumbprint

Click "Certificates". Then, right-click the "Token-signing" certificate.


You can find the Thumbprint at the bottom.


Dashboard Creator UserGroup

The AD group which you want to have eMite "DashboardCreator" role.


Dashboard Viewer UserGroup

The AD group which you want to have eMite "DashboardViewer" role.