Configure ADFS
Step 1. Launch ADFS Management
From Server Manager, launch the ADFS Management program.
Step 2. Configure Relying Party Trust
Select Add Relying Party Trust…
Step 3. Configure Data Source
Step 4. Specify Display Name
Step 5. Choose Profile
Select AD FS Profile.
Step 6. Configure Certificate
This is an optional step, you can click Next.
Step 7. Configure URL
Enter in the Kepion endpoint and make sure to append /adfs/ls/ to the Relying party WS-Federation Passive protocol URL. In the example below, the endpoint is https://connect.kepion.com with /adfs/ls/ appended to it.
Step 8. Configure Identifiers
Give your realm identifier as the Relying party trust identifier. For example this can be urn:my-kepion-app or any other resource url identifier such as https://connect.kepion.com. It will be used later as the realm identifier to the ADFS setup.
Step 9. Configure Multi-Factor Authentication
Optionally, configure multi-factor authentication or click Next.
Step 10. Configure Issuance Authorization Rules
Select Permit all users to access this relying party.
Step 11. Finish
Configure Claims
Step 1. Launch Edit Claim Rules
If the Edit Claim Rules dialog is not opened, you can right click on the Relying Party Trust that was created in the previous step and open it by clicking Edit Claim Rules… Otherwise, proceed to Step 2.
Step 2. Create Claim Rule
Click Add Rule… select the Send Claims Using a Custom Rule as the Claim rule template.
Step 3. Configure Claim Rule
Enter in the following custom rule. This rule will allow Kepion to retrieve the login user info.
c:[Type !~ "^(?i).+(group|primarygroup)+sid$"] => issue(claim = c);
Step 4. Finish
Click Finish.
Step 5. Set JWT Token Using Powershell
Open powershell in administrative mode and Run:
Set-ADFSRelyingPartyTrust –TargetIdentifier "urn:my-kepion-app" –EnableJWT $true
Use the ‘realm identifier’ (i.e. relying party identifier) that you specified in the previous steps. In the above script, the ‘realm identifier’ is "urn:my-kepion-app"
Configure Kepion
Step 1. Ensure Kepion is using HTTPS Endpoint
For example: https://connect.kepion.com
Step 2. Download ADFS Federation Metadata
Download the federation metadata from the ADFS server.
For example: https://fs.corp.kepion.com/federationmetadata/2007-06/federationmetadata.xml
And locate the signing certificate:
<EntityDescriptor ID="_00dfbf00-eb22-4856-ab2b-736a6c34c59d" entityID="http://yru-server.corp.yru.com/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
...
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="YRU Corp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC6jCCAdKgAwIBAgIQRC2A8qyY6pRPqjjCNYdnwTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSB5cnUtc2VydmVyLmNvcnAueXJ1LmNvbTAeFw0xNjA2MTEwNTI1NTlaFw0xNzA2MTEwNTI1NTlaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIHlydS1zZXJ2ZXIuY29ycC55cnUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LeYVL+Kh7Uj9Sf5uN+xUBcc27evLC6kKsu3G2j87ZERy0t9Ak6xz7DmArqUTZ3CKvW8NoSG9BPu985axEdmOeygtXjkSYRlcOK0o8SLZNoAHYXWDQ0Z8sXUEGShVeALkmVopXzJMq2wwiXc52uLGHAuzGLNfapgjBOoMWcC2SlWsjvAdrOw3je19PSGd0jZgvzsyvmAFhQ7I5hO+WWYvjrp44wdTpBlHvzbW6kwiYGEpk6QeD93nmrftUi/hI3RoBRFFDIjz/NnnAf7uuDNbjxnzCx1/CshG+ogvs0saEvweqorC84HHOqnQMcja0TQ9XY7giLPXtcWW7BINPMXyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBjq4lctSWlQv30tzlrYL4/wNpMrWTv1QGuQTtOO9SfkB1isYl3Adif5gS9n3IbyG01TM/l73GlQIP5kSSzBKI01rv6FL4ivndLS+xEJT1RW8SFPweyLBD9+bNCW+lSZ0B72rJEdco+SI9NglHtejy6Ux/G1/5CTRFfAsnX7ZoYCQPZ963RxXTCAFEyahjMiLXn0eVRKKqh0Amj2yFo8OwvlJYrqpzFCnTgoSe/T6Mp9zoFGH4mOzYTmHoA66HOMoMfw6zbGWD8TXLxloJsM8Gn01C8rwV6Z9CHLdDtsc3LgCR1wEGednr0efAln8hmDB/LNOMctFwZBV732l13kg8Z</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<fed:TokenTypesOffered>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/>
</fed:TokenTypesOffered>
<fed:ClaimTypesOffered>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>UPN</auth:DisplayName>
<auth:Description>The user principal name (UPN) of the user</auth:Description>
</auth:ClaimType>
</fed:ClaimTypesOffered>
<fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://yru-server.corp.yru.com/adfs/ls/</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>
</RoleDescriptor>
...
</EntityDescriptor>
Step 3. Configure CPMAppHost
Insert the following entry into the Kepion CPMAppHost database. Make sure to replace it with your own values for your environment. Use the downloaded signing certificate as the value for X509Certificate.
USE [CPMAppHost]
GO
INSERT INTO [dbo].[Memberships]
(
[Name]
,[ConnectionString]
,[IsDisabled]
,[Type]
,[Realm]
,[Issuer]
,[X509Certificate]
)
VALUES
(
N'Federated'
,N''
,0
,/*FederatedType*/ 3
,/*Realm */ N'urn:kepion-app'
,/*Issuer*/ N'https://fs.corp.kepion.com/adfs/ls'
,/*X509Certificate*/ N'MIIC6jCCAdKgAwIBAgIQRC2A8qyY6pRPqjjCNYdnwTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSB5cnUtc2VydmVyLmNvcnAueXJ1LmNvbTAeFw0xNjA2MTEwNTI1NTlaFw0xNzA2MTEwNTI1NTlaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIHlydS1zZXJ2ZXIuY29ycC55cnUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LeYVL+Kh7Uj9Sf5uN+xUBcc27evLC6kKsu3G2j87ZERy0t9Ak6xz7DmArqUTZ3CKvW8NoSG9BPu985axEdmOeygtXjkSYRlcOK0o8SLZNoAHYXWDQ0Z8sXUEGShVeALkmVopXzJMq2wwiXc52uLGHAuzGLNfapgjBOoMWcC2SlWsjvAdrOw3je19PSGd0jZgvzsyvmAFhQ7I5hO+WWYvjrp44wdTpBlHvzbW6kwiYGEpk6QeD93nmrftUi/hI3RoBRFFDIjz/NnnAf7uuDNbjxnzCx1/CshG+ogvs0saEvweqorC84HHOqnQMcja0TQ9XY7giLPXtcWW7BINPMXyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBjq4lctSWlQv30tzlrYL4/wNpMrWTv1QGuQTtOO9SfkB1isYl3Adif5gS9n3IbyG01TM/l73GlQIP5kSSzBKI01rv6FL4ivndLS+xEJT1RW8SFPweyLBD9+bNCW+lSZ0B72rJEdco+SI9NglHtejy6Ux/G1/5CTRFfAsnX7ZoYCQPZ963RxXTCAFEyahjMiLXn0eVRKKqh0Amj2yFo8OwvlJYrqpzFCnTgoSe/T6Mp9zoFGH4mOzYTmHoA66HOMoMfw6zbGWD8TXLxloJsM8Gn01C8rwV6Z9CHLdDtsc3LgCR1wEGednr0efAln8hmDB/LNOMctFwZBV732l13kg8Z'
)
GO
IFRAME Integration
In order to enable hosting within an IFRAME, you must include the following script tag:
<script src="https://connect.kepion.com/embed.js"></script>
In addition, each IFRAME must contain a query parameter of embedfed=1.
<iframe src="https://connect.kepion.com?embedfed=1#/designer?appid=1"/>
Note: It must be before the #, but after the ?
Configure End-User IE Browser
IE has a concept of security zones that is dependent on domain names. If the host site and Kepion somehow fall under two different security zones, then the end-user may get into an infinite redirect loop during authentication. To mitigate this, add both the host domain and Kepion domain to the same security zone (Local intranet).
Comments
0 comments
Please sign in to leave a comment.