Integration with Microsoft ADFS
Overview
This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for the Microsoft Active Directory Federation Services (ADFS) applications. This integration will allow your users to log in to their respective applications using Microsoft ADFS leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.
Before you Begin
You will need the following resources and privileges to complete this integration:
- Admin access to the following:
- BlockID tenant URL: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
- Microsoft ADFS that supports SAML integration
- Install on your mobile device:
- BlockID mobile application (Compatible with iOS and Android devices). Visit BlockID for Android or BlockID for iOS to download the application.
Assumptions
- With the above prerequisites, you should now successfully be registered and be able to login to:
- BlockID tenant application. Ensure the email address used to log in to this application is the same as the one used to log in to the Microsoft ADFS account.
- Installed and registered the BlockID mobile application.
- Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of the BlockID Mobile Application User Guide for step by step understanding of the biometrics enrollment process within the BlockID mobile application.
There are two sets of configurations that need to be performed to enable this integration:
- Configure your BlockID Tenant as a Claims Provider within Microsoft ADFS.
- Configure Microsoft ADFS as a Service Provider (SP) within your BlockID Tenant.
List of Topics:
- Configure your BlockID Tenant as a Claims Provider within Microsoft ADFS
- Configure the BlockID tenant metadata
- Configure Microsoft ADFS as a Service Provider (SP) within your BlockID Tenant
- Test the SAML Single Sign-On Connection
Configure your BlockID tenant as a Claims Provider within Microsoft ADFS
The following steps will be performed by your Microsoft ADFS administrator.
Create a claims provider trust using metadata
- Start the Server Manager, click Tools, and select AD FS Management.
- In the AD FS Management console, navigate to Actions > Add Claims Provider Trust.
- In the Add Claims Provider Trust Wizard window, perform the following steps:
- On the Welcome screen, click Start.
- On the Select Data Source screen, select Import data about the claims provider published online or on a local network.
- In the Federation metadata address (hostname or URL) box, enter the BlockID tenant's metadata URL. Get this URL from the Configure the BlockID tenant metadata topic.
- Click Next.
- On the Specify Display Name screen:
- Display name: Enter the display name for your claim provider trust. For example, ‘blockid’.
- Notes: Enter the description for your claims provider trust.
- Click Next.
- On the Ready to Add Trust screen, click Next to save the claims provider trust information.
- On the Finish screen, click Close. The Edit Claim Rules window is displayed.
Navigate to Relying Party Trust > right click on <your relying party>
> Advanced, select SHA-1
from the Secure hash algorithm drop down list option.
- In the Edit Claim Rules window for the newly created claims provider trusts, navigate to the Acceptance Transform Rules tab, click Add Rule.
- In the Select Rule Template screen, select the Pass Through or Filter an Incoming Claim option.
- Click Next.
- In the Configure Claim Rule screen, enter the following values:
- Claim rule name: Enter the appropriate name for the rule.
- Incoming claim type: Select
Name ID
- Incoming name ID format: Select
Unspecified
- Select Pass through all claim values option and click Finish.
- Click Add Rule to add another rule.
- In the Select Rule Template page, select the Pass Through or Filter an Incoming Claim option.
- Click Next.
- On the Configure Claim Rule screen, in the Claim rule name, enter the following values.
- Claim rule name: Enter the appropriate name for the rule.
- Incoming claim type:
Name
- Make sure the Pass through all claim values option is selected and click Finish.
- To acknowledge the security warning, click Yes.
- Click OK.
Relying Party Trust configurations
- In the AD FS Management console, from the left pane, click
Relying Party Trusts
. - Right click on WIF Sample App and click Edit Claim Rules.
- In the Issuance Transform Rules tab, click Add Rule.
- In the Select Rule Template screen, select Send LDAP Attributes as Claims and click Next.
- In the Configure Claim Rule tab, perform the following steps:
- Attribute store:
Active Directory
- LDAP attribute: Select the attribute you want to send to the application from AD. For example,
E-Mail-Addresses
orGiven-Name
. - Outgoing claim type: Select the claim type you want to send to the consuming application. For example,
UPN
oremailaddress
.
- Attribute store:
- Click Finish.
- In the Issuance Transform Rules tab, click Add Rule.
- In the Select Rule Template screen, select Send Claims using a custom rule and click Next.
- In the Configure Claim Rule tab, enter the following value:
- Claim rule name: Enter the appropriate name for the rule.
- Incoming claim type: Select
Name ID
- Copy and paste the following text within the custom rule box:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = "sAMAccountName={0};<LDAP ATTRIBUTE YOU WANT TO SEND e.g. mail, userPrincipalName>;<DOMAIN>\{0}”, param = c.Value);
This works if you are sending the Windows logon in the NameID
from the BlockID. If not, kindly edit the claims provider trust rules and change it to pass through the attribute that you are sending, and transform it to NameID.
Configure the BlockID tenant metadata
- Open the web browser and enter your organization’s BlockID tenant’s metadata URL in the following format:
https://<customer_name>.1kosmos.net/default/metadata
. The XML metadata information file is displayed. - From the XML metadata information file, copy and save the values of the following keys to use while performing the Microsoft ADFS SAML integration configuration:
- entityID: The example of its value is:
https:// <customer_name>.1kosmos.net/default/idp1
- SingleSignOnService URL:
https://<customer_name>.1kosmos.net/default/SingleSignOnService
- SingleLogoutService URL:
https://<customer_name>.1kosmos.net/default/SingleLogoutService
- X509Certificate:
- Copy the certificate details and save them in the following format:
-----BEGIN CERTIFICATE-----
Certificate details
-----END CERTIFICATE----- - Save the certificate with
.cert
extension.
- Copy the certificate details and save them in the following format:
- entityID: The example of its value is:
Configure Microsoft ADFS as a Service Provider (SP) within your BlockID Tenant
Set IDP Assertion Claim details
Perform the below-mentioned steps:
- Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
- In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.
- Map the
nameIdentifier
toemail
. - Click Save.
- Map the
These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.
Add Microsoft ADFS as a Service Provider
- In the SAMLv2 screen, click Service Providers.
- In the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the Microsoft ADFS option.
- In the Onboard Microsoft ADFS as a SAMLv2 Service Provider window, enter details for the following fields:Note:
In case, if your client does not share their Microsoft ADFS's XML metadata file to 1Kosmos, get the Entity ID and Login URL (SAML Assertion Consumer Service URL) details of their Microsoft ADFS.
- Application Label: Enter the appropriate name for your organization’s Microsoft ADFS application as a service provider.Note:
Get the client's Entity ID and Login URL details of the Microsoft ADFS service.
- Entity ID: Enter the unique entityId URL specified in your single-sign on settings in Microsoft ADFS.
- Login URL: Enter the login URL specified in your single-sign on settings in Microsoft ADFS.
- Click Onboard Microsoft ADFS.
- Application Label: Enter the appropriate name for your organization’s Microsoft ADFS application as a service provider.
- Click on the newly added Microsoft ADFS as a service provider link.
- In the Edit screen:
- In the SP Core Configuration tab: check the following details are selected:
- Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
- NameID Value:
nameidentifier
.
- In the SP Assertion Claims Mapping tab: Select the checkbox for the following options:
- nameIdentifier
- In the SP Service URL End Points tab:
- Select
POST
. - Ensure Microsoft ADFS login URL is added.
- Select
- Click Confirm and Save.
- In the SP Core Configuration tab: check the following details are selected:
Test the SAML Single Sign-On Connection
- In your browser, open your organization’s Microsoft ADFS protected application. The application is displayed with
Authenticate via ADFS
andAuthenticate via BlockID
options. - Click on the appropriate option. The screen is displayed with the barcode to be scanned from your BlockID mobile app.
- On the BlockID mobile application’s Home screen, click ‘Scan QR
- Scan the QR code. The confirmation pop-up window is displayed asking to
Allow BlockID to access this device’s location?
. - In the confirmation pop-up window, select
Allow only while using the app
. The Authentication screen is displayed with thePlease authenticate using <Biometric_option> from 1kosmos
message. - Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with
Thank you! You have successfully authenticated to Log In
message upon successful authentication. - You will be logged in to your organization’s Microsoft ADFS protected application.