Skip to main content

Integration with Microsoft ADFS

Overview

This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for the Microsoft Active Directory Federation Services (ADFS) applications. This integration will allow your users to log in to their respective applications using Microsoft ADFS leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.

Before you Begin

You will need the following resources and privileges to complete this integration:

  1. Admin access to the following:
    • BlockID tenant URL: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
    • Microsoft ADFS that supports SAML integration
  2. Install on your mobile device:

Assumptions

  1. With the above prerequisites, you should now successfully be registered and be able to login to:
    • BlockID tenant application. Ensure the email address used to log in to this application is the same as the one used to log in to the Microsoft ADFS account.
  2. Installed and registered the BlockID mobile application.

There are two sets of configurations that need to be performed to enable this integration:

  1. Configure your BlockID Tenant as a Claims Provider within Microsoft ADFS.
  2. Configure Microsoft ADFS as a Service Provider (SP) within your BlockID Tenant.

List of Topics:

  1. Configure your BlockID Tenant as a Claims Provider within Microsoft ADFS
  2. Configure the BlockID tenant metadata
  3. Configure Microsoft ADFS as a Service Provider (SP) within your BlockID Tenant
  4. Test the SAML Single Sign-On Connection

Configure your BlockID tenant as a Claims Provider within Microsoft ADFS

Note:

The following steps will be performed by your Microsoft ADFS administrator.

Create a claims provider trust using metadata

  1. Start the Server Manager, click Tools, and select AD FS Management.
  2. In the AD FS Management console, navigate to Actions > Add Claims Provider Trust.
  3. In the Add Claims Provider Trust Wizard window, perform the following steps:
    • On the Welcome screen, click Start.
    • On the Select Data Source screen, select Import data about the claims provider published online or on a local network.
    • Click Next.
    • On the Specify Display Name screen:
      • Display name: Enter the display name for your claim provider trust. For example, ‘blockid’.
      • Notes: Enter the description for your claims provider trust.
      • Click Next.
    • On the Ready to Add Trust screen, click Next to save the claims provider trust information.
    • On the Finish screen, click Close. The Edit Claim Rules window is displayed.
Note:

Navigate to Relying Party Trust > right click on <your relying party> > Advanced, select SHA-1 from the Secure hash algorithm drop down list option.

  1. In the Edit Claim Rules window for the newly created claims provider trusts, navigate to the Acceptance Transform Rules tab, click Add Rule.
  2. In the Select Rule Template screen, select the Pass Through or Filter an Incoming Claim option.
  3. Click Next.
  4. In the Configure Claim Rule screen, enter the following values:
    • Claim rule name: Enter the appropriate name for the rule.
    • Incoming claim type: Select Name ID
    • Incoming name ID format: Select Unspecified
    • Select Pass through all claim values option and click Finish.
  5. Click Add Rule to add another rule.
  6. In the Select Rule Template page, select the Pass Through or Filter an Incoming Claim option.
  7. Click Next.
  8. On the Configure Claim Rule screen, in the Claim rule name, enter the following values.
    • Claim rule name: Enter the appropriate name for the rule.
    • Incoming claim type: Name
  9. Make sure the Pass through all claim values option is selected and click Finish.
  10. To acknowledge the security warning, click Yes.
  11. Click OK.

Relying Party Trust configurations

  1. In the AD FS Management console, from the left pane, click Relying Party Trusts.
  2. Right click on WIF Sample App and click Edit Claim Rules.
  3. In the Issuance Transform Rules tab, click Add Rule.
  4. In the Select Rule Template screen, select Send LDAP Attributes as Claims and click Next.
  5. In the Configure Claim Rule tab, perform the following steps:
    • Attribute store: Active Directory
    • LDAP attribute: Select the attribute you want to send to the application from AD. For example, E-Mail-Addresses or Given-Name.
    • Outgoing claim type: Select the claim type you want to send to the consuming application. For example, UPN or emailaddress.
  6. Click Finish.
  7. In the Issuance Transform Rules tab, click Add Rule.
  8. In the Select Rule Template screen, select Send Claims using a custom rule and click Next.
  9. In the Configure Claim Rule tab, enter the following value:
    • Claim rule name: Enter the appropriate name for the rule.
    • Incoming claim type: Select Name ID
  10. Copy and paste the following text within the custom rule box: 
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = "sAMAccountName={0};<LDAP ATTRIBUTE YOU WANT TO SEND e.g. mail, userPrincipalName>;<DOMAIN>\{0}”, param = c.Value);
Important:

This works if you are sending the Windows logon in the NameID from the BlockID. If not, kindly edit the claims provider trust rules and change it to pass through the attribute that you are sending, and transform it to NameID.

Configure the BlockID tenant metadata

  1. Open the web browser and enter your organization’s BlockID tenant’s metadata URL in the following format: https://<customer_name>.1kosmos.net/default/metadata. The XML metadata information file is displayed.
  2. From the XML metadata information file, copy and save the values of the following keys to use while performing the Microsoft ADFS SAML integration configuration:
    • entityID: The example of its value is: https:// <customer_name>.1kosmos.net/default/idp1
    • SingleSignOnService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService
    • SingleLogoutService URL: https://<customer_name>.1kosmos.net/default/SingleLogoutService
    • X509Certificate:
      • Copy the certificate details and save them in the following format: 
        -----BEGIN CERTIFICATE-----
        Certificate details
        -----END CERTIFICATE-----
      • Save the certificate with .cert extension.

Configure Microsoft ADFS as a Service Provider (SP) within your BlockID Tenant

Set IDP Assertion Claim details

Perform the below-mentioned steps:

  1. Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
  2. In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.
    • Map the nameIdentifier to email.
    • Click Save.
Note:

These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.

Add Microsoft ADFS as a Service Provider

  1. In the SAMLv2 screen, click Service Providers.
  2. In the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the Microsoft ADFS option.
  3. In the Onboard Microsoft ADFS as a SAMLv2 Service Provider window, enter details for the following fields:
    Note:

    In case, if your client does not share their Microsoft ADFS's XML metadata file to 1Kosmos, get the Entity ID and Login URL (SAML Assertion Consumer Service URL) details of their Microsoft ADFS.

    • Application Label: Enter the appropriate name for your organization’s Microsoft ADFS application as a service provider.
      Note:

      Get the client's Entity ID and Login URL details of the Microsoft ADFS service.

    • Entity ID: Enter the unique entityId URL specified in your single-sign on settings in Microsoft ADFS.
    • Login URL: Enter the login URL specified in your single-sign on settings in Microsoft ADFS.
    • Click Onboard Microsoft ADFS.
  4. Click on the newly added Microsoft ADFS as a service provider link.
  5. In the Edit screen:
    • In the SP Core Configuration tab: check the following details are selected:
      • Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
      • NameID Value: nameidentifier.
    • In the SP Assertion Claims Mapping tab: Select the checkbox for the following options:
      • nameIdentifier
    • In the SP Service URL End Points tab:
      • Select POST.
      • Ensure Microsoft ADFS login URL is added.
    • Click Confirm and Save.

Test the SAML Single Sign-On Connection

  1. In your browser, open your organization’s Microsoft ADFS protected application. The application is displayed with Authenticate via ADFSand Authenticate via BlockID options.
  2. Click on the appropriate option. The screen is displayed with the barcode to be scanned from your BlockID mobile app.
  3. On the BlockID mobile application’s Home screen, click ‘Scan QR
  4. Scan the QR code. The confirmation pop-up window is displayed asking to Allow BlockID to access this device’s location?.
  5. In the confirmation pop-up window, select Allow only while using the app. The Authentication screen is displayed with the Please authenticate using <Biometric_option> from 1kosmos message.
  6. Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with Thank you! You have successfully authenticated to Log Inmessage upon successful authentication.
  7. You will be logged in to your organization’s Microsoft ADFS protected application.