AD FS SSO Integration with SafeConsole (5.4+)
This article explains how to configure the SSO integration of a self-hosted Active Directory Federation Services (AD FS) server and SafeConsole.
AD FS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials. Installing AD FS is beyond the scope of this topic, but is detailed in a Microsoft KB article. Also, for AD FS-based SSO, it's recommended to always check the AD FS logs in the Windows Event Viewer to locate error details. This guide follows instructions for AD FS 4.0 (Server 2016) but similar steps should be possible on other versions.
Administrator level access to SafeConsole (5.4+)
A server running Microsoft Server 2012+
AD FS environment ready for production
An SSL Certificate to sign your AD FS login page and the fingerprint for that certificate
Adding a new relying party trust
To add a new relying party trust by using the AD FS Management snap-in and manually configure the settings, perform the following procedure on a federation server.
Membership in Administrators, or equivalent, on the local computer, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.
In Server Manager, click Tools, and then select AD FS Management.
Under Actions, click Add Relying Party Trust.
3. On the Welcome page, choose Claims aware and click Start.
4. On the Select Data Source page, click Enter data about the relying party manually and click Next.
5. On the Specify Display Name page, type a name in Display name, under Notes type a description for this relying party trust, and then click Next.
6. Click Next.
7. On the Configure URL page select the Enable support for the SAML 2.0 WebSSO protocol check box. Under Relying party SAML 2.0 SSO service URL, type the Security Assertion Markup Language (SAML) service endpoint URL for this relying party trust, and then click Next.
8. On the Configure Identifiers page, specify the identifier for this relying party, click Add to add it to the list, and then click Next.
9. On the Choose Access Control Policy select a policy and click Next. For more information about Access Control Policies, see Access Control Policies in AD FS. If you are unsure, permit everyone and you can come back at a later time.
10. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.
11. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box.
Creating the Claim Trust Rules
1. Click Add Rule...
2. Create a Claim Rule Template. Select Send LDAP Attributes as Claims in the drop-down menu and then click Next.
3. Configure the rule to send the values of LDAP attributes as a claim.
Create the Claim rule name: “email”
Select the Attribute Store: “Active Directory”
Select the LDAP Attribute: “E-Mail-Addresses”
Select the Outgoing Claim Type: “Name ID”
4. Create another Claim Rule Template. Select Send Group Membership as a Claim in the drop-down menu and then click Next.
5. Configure the rule to send a claim based on a user’s Active Directory group membership.
Create the Claim rule name: “memberOf”
Select the User’s group: Select the group from your AD.
Select the Outgoing Claim Type: “memberOf”
Select the Outgoing Claim Value: “ADMINISTRATOR"
Setting up the Relying Party Trust Properties
1. You will need to obtain the public signing certificate of your SafeConsole server. Log in to your console and locate the following path: Help > Quick Connection Guide > Legacy Devices. Click on Server Certificate and the download will begin.
2. Click on the Signature tab within the properties of your Relying Party Trust. Click Add and navigate to the SafeConsole public signing certificate you downloaded in Step 1.
3. Click the Advanced tab and change the secure hash algorithm to SHA-1
4. Click on the Endpoints tab and select Add SAML.
Select the Endpoint type: SAML Logout
Select the Binding: POST
Input the trusted URL: https://yoursafeconsoleserver.com/safeconsole/sso-logout
Input the Response URL: https://yoursafeconsoleserver.com/safeconsole/sso-logout
5. Verify your AD FS Token Signing certificate is appearing within the certificates under AD FS Services.
Applying the SSO Settings to your SafeConsole Server.
To enable single sign-on to SafeConsole using Active Directory with AD FS and SAML, corresponding settings should be made in SafeConsole Server Settings / Single Sign-On.
Assuming your-adfs-server.com is the Federation Service name and SafeConsole is the Relying Party identifier, a typical setup would be like this:
Enable Single Sign-on: checked
SSO Provider: SAML2
Entity ID: safeconsole
SSO Endpoint: https://your-adfs-server.com/adfs/ls
SLO Endpoint: https://your-adfs-server.com/adfs/ls/?wa=wsignout1.0
X509 Certificate: AD FS Token-signing certificate:
In the AD FS management sidebar, go to AD FS > Service > Certificates and double click on the certificate under Token-signing. You may alternatively right-click the field, then click View Certificate
In the Certificate screen, go to the Details tab and click Copy to File, then OK. This opens a Certificate Export Wizard.
In the Certificate Export Wizard screen, click Next. Then, select the option Base-64 encoded X.509 (.CER) and click Next again.
In the Certificate Export Wizard screen, click Browse to specify the location you want the Identity Provider Certificate to be exported, and specify the file name.
Click Save. In the Certificate Export Wizard screen, verify the file path is correct, and click Next.
In the Completing the Certificate Export Wizard, click Finish, then OK to confirm the export was successful.
Now you should open the certificate file in a text editor and copy certificate data to the X509 Certificate field in the settings;
When all settings are entered into SafeConsole click the Save Button.
Note: If you are utilizing SafeConsole On-Premise, you will need to have the Admin, Manager, and Support roles defined. This can be verified by accessing the "SafeConsole Configurator" on your SafeConsole host computer. The Single Sign-On subsystem will not function properly without these roles defined.
To test the new AD FS integration click the "Use Single Sign-On (SSO)" button on the SafeConsole login screen or use the AD FS directory.