ADFS Integration Guide

Configure ADFS

Step 1. Launch ADFS Management

From Server Manager, launch the ADFS Management program.

 

 

Step 2. Configure Relying Party Trust

Select Add Relying Party Trust…

 

 

Step 3. Configure Data Source

 

 

Step 4. Specify Display Name

 

 

Step 5. Choose Profile

Select AD FS Profile.

 

 

Step 6. Configure Certificate

This is an optional step, you can click Next.

 

 

Step 7. Configure URL

Enter in the Kepion endpoint and make sure to append /adfs/ls/ to the Relying party WS-Federation Passive protocol URL.  In the example below, the endpoint is https://connect.kepion.com with /adfs/ls/ appended to it.

 

 

Step 8. Configure Identifiers

Give your realm identifier as the Relying party trust identifier.  For example this can be urn:my-kepion-app or any other resource url identifier such as https://connect.kepion.com.  It will be used later as the realm identifier to the ADFS setup.

 

 

Step 9. Configure Multi-Factor Authentication

Optionally, configure multi-factor authentication or click Next.

 

 

Step 10. Configure Issuance Authorization Rules

Select Permit all users to access this relying party.

 

 

Step 11. Finish

 

 

 

Configure Claims

Step 1. Launch Edit Claim Rules

If the Edit Claim Rules dialog is not opened, you can right click on the Relying Party Trust that was created in the previous step and open it by clicking Edit Claim Rules…  Otherwise, proceed to Step 2.

 

 

Step 2. Create Claim Rule

Click Add Rule… select the Send Claims Using a Custom Rule as the Claim rule template.

 

 

 

Step 3. Configure Claim Rule

Enter in the following custom rule. This rule will allow Kepion to retrieve the login user info.

 

c:[Type !~ "^(?i).+(group|primarygroup)+sid$"] => issue(claim = c);

 

 

Step 4. Finish

Click Finish.

 

Step 5. Set JWT Token Using Powershell

Open powershell in administrative mode and Run:

 

Set-ADFSRelyingPartyTrust –TargetIdentifier "urn:my-kepion-app" –EnableJWT $true

 

Use the ‘realm identifier’ (i.e. relying party identifier) that you specified in the previous steps.  In the above script, the ‘realm identifier’ is "urn:my-kepion-app"

 

 

Configure Kepion

Step 1. Ensure Kepion is using HTTPS Endpoint

For example: https://connect.kepion.com

 

Step 2. Download ADFS Federation Metadata

Download the federation metadata from the ADFS server. 

For example: https://fs.corp.kepion.com/federationmetadata/2007-06/federationmetadata.xml

And locate the signing certificate:

 

<EntityDescriptor ID="_00dfbf00-eb22-4856-ab2b-736a6c34c59d" entityID="http://yru-server.corp.yru.com/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  ...
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="YRU Corp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
    <KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
<X509Certificate>MIIC6jCCAdKgAwIBAgIQRC2A8qyY6pRPqjjCNYdnwTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSB5cnUtc2VydmVyLmNvcnAueXJ1LmNvbTAeFw0xNjA2MTEwNTI1NTlaFw0xNzA2MTEwNTI1NTlaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIHlydS1zZXJ2ZXIuY29ycC55cnUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LeYVL+Kh7Uj9Sf5uN+xUBcc27evLC6kKsu3G2j87ZERy0t9Ak6xz7DmArqUTZ3CKvW8NoSG9BPu985axEdmOeygtXjkSYRlcOK0o8SLZNoAHYXWDQ0Z8sXUEGShVeALkmVopXzJMq2wwiXc52uLGHAuzGLNfapgjBOoMWcC2SlWsjvAdrOw3je19PSGd0jZgvzsyvmAFhQ7I5hO+WWYvjrp44wdTpBlHvzbW6kwiYGEpk6QeD93nmrftUi/hI3RoBRFFDIjz/NnnAf7uuDNbjxnzCx1/CshG+ogvs0saEvweqorC84HHOqnQMcja0TQ9XY7giLPXtcWW7BINPMXyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBjq4lctSWlQv30tzlrYL4/wNpMrWTv1QGuQTtOO9SfkB1isYl3Adif5gS9n3IbyG01TM/l73GlQIP5kSSzBKI01rv6FL4ivndLS+xEJT1RW8SFPweyLBD9+bNCW+lSZ0B72rJEdco+SI9NglHtejy6Ux/G1/5CTRFfAsnX7ZoYCQPZ963RxXTCAFEyahjMiLXn0eVRKKqh0Amj2yFo8OwvlJYrqpzFCnTgoSe/T6Mp9zoFGH4mOzYTmHoA66HOMoMfw6zbGWD8TXLxloJsM8Gn01C8rwV6Z9CHLdDtsc3LgCR1wEGednr0efAln8hmDB/LNOMctFwZBV732l13kg8Z</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <fed:TokenTypesOffered>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/>
    </fed:TokenTypesOffered>
    <fed:ClaimTypesOffered>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>UPN</auth:DisplayName>
<auth:Description>The user principal name (UPN) of the user</auth:Description>
      </auth:ClaimType>
    </fed:ClaimTypesOffered>
    <fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://yru-server.corp.yru.com/adfs/ls/</Address>
      </EndpointReference>
    </fed:PassiveRequestorEndpoint>
  </RoleDescriptor>
  ...
</EntityDescriptor>

 

Step 3. Configure CPMAppHost

Insert the following entry into the Kepion CPMAppHost database. Make sure to replace it with your own values for your environment.  Use the downloaded signing certificate as the value for X509Certificate.

 

USE [CPMAppHost]
GO

INSERT INTO [dbo].[Memberships]
(
   [Name]
  ,[ConnectionString]
  ,[IsDisabled]
  ,[Type]
  ,[Realm]
  ,[Issuer]
  ,[X509Certificate]
)
VALUES
(
  N'Federated'
 ,N''
 ,0
 ,/*FederatedType*/ 3
 ,/*Realm */ N'urn:kepion-app'
 ,/*Issuer*/ N'https://fs.corp.kepion.com/adfs/ls'
,/*X509Certificate*/ N'MIIC6jCCAdKgAwIBAgIQRC2A8qyY6pRPqjjCNYdnwTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSB5cnUtc2VydmVyLmNvcnAueXJ1LmNvbTAeFw0xNjA2MTEwNTI1NTlaFw0xNzA2MTEwNTI1NTlaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIHlydS1zZXJ2ZXIuY29ycC55cnUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LeYVL+Kh7Uj9Sf5uN+xUBcc27evLC6kKsu3G2j87ZERy0t9Ak6xz7DmArqUTZ3CKvW8NoSG9BPu985axEdmOeygtXjkSYRlcOK0o8SLZNoAHYXWDQ0Z8sXUEGShVeALkmVopXzJMq2wwiXc52uLGHAuzGLNfapgjBOoMWcC2SlWsjvAdrOw3je19PSGd0jZgvzsyvmAFhQ7I5hO+WWYvjrp44wdTpBlHvzbW6kwiYGEpk6QeD93nmrftUi/hI3RoBRFFDIjz/NnnAf7uuDNbjxnzCx1/CshG+ogvs0saEvweqorC84HHOqnQMcja0TQ9XY7giLPXtcWW7BINPMXyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBjq4lctSWlQv30tzlrYL4/wNpMrWTv1QGuQTtOO9SfkB1isYl3Adif5gS9n3IbyG01TM/l73GlQIP5kSSzBKI01rv6FL4ivndLS+xEJT1RW8SFPweyLBD9+bNCW+lSZ0B72rJEdco+SI9NglHtejy6Ux/G1/5CTRFfAsnX7ZoYCQPZ963RxXTCAFEyahjMiLXn0eVRKKqh0Amj2yFo8OwvlJYrqpzFCnTgoSe/T6Mp9zoFGH4mOzYTmHoA66HOMoMfw6zbGWD8TXLxloJsM8Gn01C8rwV6Z9CHLdDtsc3LgCR1wEGednr0efAln8hmDB/LNOMctFwZBV732l13kg8Z'
)
GO

 

 

IFRAME Integration

In order to enable hosting within an IFRAME, you must include the following script tag:

 

<script src="https://connect.kepion.com/embed.js"></script>

 

In addition, each IFRAME must contain a query parameter of embedfed=1. 

 

<iframe src="https://connect.kepion.com?embedfed=1#/designer?appid=1"/>

 

Note: It must be before the #, but after the ?

 

 

Configure End-User IE Browser

IE has a concept of security zones that is dependent on domain names.  If the host site and Kepion somehow fall under two different security zones, then the end-user may get into an infinite redirect loop during authentication.  To mitigate this, add both the host domain and Kepion domain to the same security zone (Local intranet).