Submit a request

ADFS Integration Guide

Avatar
Kepion Support
  • Updated

Configure ADFS

Step 1. Launch ADFS Management

From Server Manager, launch the ADFS Management program.

 

mceclip0.png

 

Step 2. Configure Relying Party Trust

Select Add Relying Party Trust…

 

mceclip1.png

 

Step 3. Configure Data Source

 

mceclip2.png

 

Step 4. Specify Display Name

 

mceclip3.png

 

Step 5. Choose Profile

Select AD FS Profile.

 

mceclip4.png

 

Step 6. Configure Certificate

This is an optional step, you can click Next.

 

mceclip5.png

 

Step 7. Configure URL

Enter in the Kepion endpoint and make sure to append /adfs/ls/ to the Relying party WS-Federation Passive protocol URL.  In the example below, the endpoint is https://connect.kepion.com with /adfs/ls/ appended to it.

 

mceclip6.png

 

Step 8. Configure Identifiers

Give your realm identifier as the Relying party trust identifier.  For example this can be urn:my-kepion-app or any other resource url identifier such as https://connect.kepion.com.  It will be used later as the realm identifier to the ADFS setup.

 

mceclip7.png

 

Step 9. Configure Multi-Factor Authentication

Optionally, configure multi-factor authentication or click Next.

 

mceclip8.png

 

Step 10. Configure Issuance Authorization Rules

Select Permit all users to access this relying party.

 

mceclip9.png

 

Step 11. Finish

 

mceclip10.png

 

 

Configure Claims

Step 1. Launch Edit Claim Rules

If the Edit Claim Rules dialog is not opened, you can right click on the Relying Party Trust that was created in the previous step and open it by clicking Edit Claim Rules…  Otherwise, proceed to Step 2.

 

mceclip11.png

 

Step 2. Create Claim Rule

Click Add Rule… select the Send Claims Using a Custom Rule as the Claim rule template.

 

 mceclip12.png

 

Step 3. Configure Claim Rule

Enter in the following custom rule. This rule will allow Kepion to retrieve the login user info.

 

c:[Type !~ "^(?i).+(group|primarygroup)+sid$"] => issue(claim = c);

 

mceclip13.png

 

Step 4. Finish

Click Finish.

 

Step 5. Set JWT Token Using Powershell

Open powershell in administrative mode and Run:

 

Set-ADFSRelyingPartyTrust –TargetIdentifier "urn:my-kepion-app" –EnableJWT $true

 

Use the ‘realm identifier’ (i.e. relying party identifier) that you specified in the previous steps.  In the above script, the ‘realm identifier’ is "urn:my-kepion-app"

 

 

Configure Kepion

Step 1. Ensure Kepion is using HTTPS Endpoint

For example: https://connect.kepion.com

 

Step 2. Download ADFS Federation Metadata

Download the federation metadata from the ADFS server. 

For example: https://fs.corp.kepion.com/federationmetadata/2007-06/federationmetadata.xml

And locate the signing certificate:

 

<EntityDescriptor ID="_00dfbf00-eb22-4856-ab2b-736a6c34c59d" entityID="http://yru-server.corp.yru.com/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  ...
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="YRU Corp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
    <KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
<X509Certificate>MIIC6jCCAdKgAwIBAgIQRC2A8qyY6pRPqjjCNYdnwTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSB5cnUtc2VydmVyLmNvcnAueXJ1LmNvbTAeFw0xNjA2MTEwNTI1NTlaFw0xNzA2MTEwNTI1NTlaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIHlydS1zZXJ2ZXIuY29ycC55cnUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LeYVL+Kh7Uj9Sf5uN+xUBcc27evLC6kKsu3G2j87ZERy0t9Ak6xz7DmArqUTZ3CKvW8NoSG9BPu985axEdmOeygtXjkSYRlcOK0o8SLZNoAHYXWDQ0Z8sXUEGShVeALkmVopXzJMq2wwiXc52uLGHAuzGLNfapgjBOoMWcC2SlWsjvAdrOw3je19PSGd0jZgvzsyvmAFhQ7I5hO+WWYvjrp44wdTpBlHvzbW6kwiYGEpk6QeD93nmrftUi/hI3RoBRFFDIjz/NnnAf7uuDNbjxnzCx1/CshG+ogvs0saEvweqorC84HHOqnQMcja0TQ9XY7giLPXtcWW7BINPMXyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBjq4lctSWlQv30tzlrYL4/wNpMrWTv1QGuQTtOO9SfkB1isYl3Adif5gS9n3IbyG01TM/l73GlQIP5kSSzBKI01rv6FL4ivndLS+xEJT1RW8SFPweyLBD9+bNCW+lSZ0B72rJEdco+SI9NglHtejy6Ux/G1/5CTRFfAsnX7ZoYCQPZ963RxXTCAFEyahjMiLXn0eVRKKqh0Amj2yFo8OwvlJYrqpzFCnTgoSe/T6Mp9zoFGH4mOzYTmHoA66HOMoMfw6zbGWD8TXLxloJsM8Gn01C8rwV6Z9CHLdDtsc3LgCR1wEGednr0efAln8hmDB/LNOMctFwZBV732l13kg8Z</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <fed:TokenTypesOffered>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/>
    </fed:TokenTypesOffered>
    <fed:ClaimTypesOffered>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>UPN</auth:DisplayName>
<auth:Description>The user principal name (UPN) of the user</auth:Description>
      </auth:ClaimType>
    </fed:ClaimTypesOffered>
    <fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://yru-server.corp.yru.com/adfs/ls/</Address>
      </EndpointReference>
    </fed:PassiveRequestorEndpoint>
  </RoleDescriptor>
  ...
</EntityDescriptor>

 

Step 3. Configure CPMAppHost

Insert the following entry into the Kepion CPMAppHost database. Make sure to replace it with your own values for your environment.  Use the downloaded signing certificate as the value for X509Certificate.

 

USE [CPMAppHost]
GO

INSERT INTO [dbo].[Memberships]
(
   [Name]
  ,[ConnectionString]
  ,[IsDisabled]
  ,[Type]
  ,[Realm]
  ,[Issuer]
  ,[X509Certificate]
)
VALUES
(
  N'Federated'
 ,N''
 ,0
 ,/*FederatedType*/ 3
 ,/*Realm */ N'urn:kepion-app'
 ,/*Issuer*/ N'https://fs.corp.kepion.com/adfs/ls'
,/*X509Certificate*/ N'MIIC6jCCAdKgAwIBAgIQRC2A8qyY6pRPqjjCNYdnwTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSB5cnUtc2VydmVyLmNvcnAueXJ1LmNvbTAeFw0xNjA2MTEwNTI1NTlaFw0xNzA2MTEwNTI1NTlaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIHlydS1zZXJ2ZXIuY29ycC55cnUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LeYVL+Kh7Uj9Sf5uN+xUBcc27evLC6kKsu3G2j87ZERy0t9Ak6xz7DmArqUTZ3CKvW8NoSG9BPu985axEdmOeygtXjkSYRlcOK0o8SLZNoAHYXWDQ0Z8sXUEGShVeALkmVopXzJMq2wwiXc52uLGHAuzGLNfapgjBOoMWcC2SlWsjvAdrOw3je19PSGd0jZgvzsyvmAFhQ7I5hO+WWYvjrp44wdTpBlHvzbW6kwiYGEpk6QeD93nmrftUi/hI3RoBRFFDIjz/NnnAf7uuDNbjxnzCx1/CshG+ogvs0saEvweqorC84HHOqnQMcja0TQ9XY7giLPXtcWW7BINPMXyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBjq4lctSWlQv30tzlrYL4/wNpMrWTv1QGuQTtOO9SfkB1isYl3Adif5gS9n3IbyG01TM/l73GlQIP5kSSzBKI01rv6FL4ivndLS+xEJT1RW8SFPweyLBD9+bNCW+lSZ0B72rJEdco+SI9NglHtejy6Ux/G1/5CTRFfAsnX7ZoYCQPZ963RxXTCAFEyahjMiLXn0eVRKKqh0Amj2yFo8OwvlJYrqpzFCnTgoSe/T6Mp9zoFGH4mOzYTmHoA66HOMoMfw6zbGWD8TXLxloJsM8Gn01C8rwV6Z9CHLdDtsc3LgCR1wEGednr0efAln8hmDB/LNOMctFwZBV732l13kg8Z'
)
GO

 

 

IFRAME Integration

In order to enable hosting within an IFRAME, you must include the following script tag:

 

<script src="https://connect.kepion.com/embed.js"></script>

 

In addition, each IFRAME must contain a query parameter of embedfed=1

 

<iframe src="https://connect.kepion.com?embedfed=1#/designer?appid=1"/>

 

Note: It must be before the #, but after the ?

 

 

Configure End-User IE Browser

IE has a concept of security zones that is dependent on domain names.  If the host site and Kepion somehow fall under two different security zones, then the end-user may get into an infinite redirect loop during authentication.  To mitigate this, add both the host domain and Kepion domain to the same security zone (Local intranet).

 

mceclip14.png

Comments

0 comments

Please sign in to leave a comment.

Related articles