PhenixID

Step by Step – PhenixID Authentication Services as ADFS Claims Provider

Summary

This document will guide you through the steps to add PhenixID Authentiction Services as an additional Claims Provider to Microsoft ADFS. This is useful for replacing the sign-in method in ADFS with a non-adfs-standard sign-in method, such as national e-identities, mobile authentication app or username and token.

System Requirements

  • PhenixID Authentication Server 2.0 or higher
  • Microsoft ADFS installed
  • The end user client (web browser) must be able to reach PhenixID Authentication Services and ADFS over https (443).

Instruction

Overview

This document will guide you through the steps to add PhenixID Authentication Services as an additional Claims Provider to ADFS.

PhenixID Server acting as SAML IdP

  1. Login to Configuration Manager
  2. Scenarios->Federation
  3. Setup PhenixID Authentication Services as a SAML IdP using one of the scenarios available.
    (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  4. Then export your SAML IdP metadata by going to the URL:
    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
    and download the metadata to a xml file.

Configure ADFS

Add claims provider

We will add a claimsprovider by adding the SAML metadata. Two rules will be configured for the claimsprovider.

  1. Start AD FS Management
  2. Click Trust Relationships/Claims Provider Trusts
  3. Right click and choose “Add Claims Provider Trust…”
  4. Choose a method to import your metadata
  5. Set Display name = “PhenixID IdP” , just click next
  6. Click next until close

Add issuance rule

  1. Right-click the newly added Claims Provider
  2. Select “Edit claims rules”
  3. Click Add rule
  4. Template, “Pass Through or Filter an Incoming Claim”
  5. Set a rule name = “Name ID”
  6. “Incoming claim type” = Name ID
  7. “Incoming named ID format” = Unspecified
  8. Finish

Export metadata from ADFS

  1. Open a web browser and go to the URL:
    https://<adfs_domain>/FederationMetadata/2007-06/FederationMetadata.xml
  2. Save data to file (in this example we will refer to the name adfs_demo_FederationMetadata.xml)

Import metadata to IdP

  1. Open PhenixID Configuration Manager and login
  2. Go to Scenarios->Federation
  3. Click the plus next to SAML Metadata upload
  4. Enter a display name = “ADFS”
  5. Upload the file downloaded in previous step.  (adfs_demo_FederationMetadata.xml)

Test

  1. Open a web broswer
  2. https://<adfs_domain>/adfs/ls/idpinitiatedsignon.
  3. Click “Sign in”
  4. You should now be redirected to PhenixID Authentication Services
  5. Authenticate
  6. You should now be redirected back to ADFS
  7. ADFS should now display “You are signed in” (text may differ depending on ADFS version running).

Control claim provider(s) to be used for different services (RPs) connected to ADFS

ADFS will by default always present Active Directory as a login option (Claims Provider). To control which Claim Provider(s) are presented for a specific application (RP), follow this instruction:

  1. Login to ADFS server (RDP)
  2. Open Powershell (as admin)
  3. Run this command to always associate the RP (in this example the RP name is RpExample) with PhenixID SAML IdP:
    Set-AdfsRelyingPartyTrust -TargetName “RpExample” -ClaimsProviderName @(“PhenixID IdP”)

Serving claims to relying parties using OpenID Connect

When using PhenixID Authentication Services as a claims provider to ADFS in combination with relying parties connected to ADFS using OpenID Connect, please follow this guide.

Using claim rule “Send LDAP attributes as claims”

When using PhenixID Authentication Services as a claims provider to ADFS in combination with the claim rule Send LDAP attributes as claims, please follow this guide.


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se