Page History
Anchor | ||||
---|---|---|---|---|
|
This section covers is related to the active directory federation services in detail(AD FS) configurations required for your Yellowfin SAML bridge.
AD FS Public Key
You will need to obtain a valid public keyfrom AD FS (.cer file) to sign SAML requests coming from Yellowfin. This key is then set in the onelogin.saml.properties, in the form of a text. For example:
onelogin.saml2.idp.x509cert =MIIC2DCCAcCgAwIBAgIQfdRAAWmWko1IsimA004o3TANBgkqhki…
Download signing certificate from AD FS:
...
- Find the certificate in the AD FS
- Select ‘View Certificate’.
- Go to ‘Details’.
- Click ‘Copy to file’.
- Then open the file in a text editor and copy the string to onelogin.saml2.idp.x509cert.
...
Anchor | ||||
---|---|---|---|---|
|
...
Note. Each time when you modify onelogin.saml.properties, you need to update the Yellowfin Relying Party Trust metadata in AD FS.
...
That means you need to pass an email address as a name id ID from the AD FS. Your claim rules should look like below.
...
- Click ‘Add Rule’ and choose ‘Sent LDAP Attributes as Claims’.
- Provide it with the name and add all the attributes you want to pass to the SAML Bridge.
- To do automatic user provision via SAML Bridge, you need to pass at least email address, user name, user surname.
- You need to pass a proper user ID corresponding to the Yellowfin authentication method (either name ID or email addresses).
- Make sure that whatever you pass as email addresses attribute indeed keeps email addresses. It can be User-Principal-Name or E-Mail-Addresses.
- Note: You may want to add more AD attributes to be able to do user provision via SAML Bridge like default user role, group memberships etc. Additional modification to SAML Bridge web.xml and acs.jsp files will be required.
Transform email address into name ID
- Click ‘Add Rule’. This time, select ‘Transform an Income Claim’ this time.
- Select ‘E-Mail Address’ as the ‘Incoming claim type’.
- Then select ‘Name ID’ as the ‘Outgoing claim type’ and ‘Email’ as ‘Outgoing name ID format’ (this should correspond to onelogin.saml2.sp.nameidformat of onelogin.saml.properties file).
...
Anchor | ||||
---|---|---|---|---|
|
...