Like what you see? Have a play with our trial version.

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 7

changes.mady.by.user user-3484a

Saved on

compared with

New Version 8

changes.mady.by.user user-3484a

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
adfspublickey
adfspublickey

This section covers is related to the active directory federation services in detail(AD FS) configurations required for your Yellowfin SAML bridge.

 

AD FS Public Key

You will need to obtain a valid public keyfrom AD FS (.cer file) to sign SAML requests coming from Yellowfin. This key is then set in the onelogin.saml.properties, in the form of a text. For example: 

onelogin.saml2.idp.x509cert =MIIC2DCCAcCgAwIBAgIQfdRAAWmWko1IsimA004o3TANBgkqhki…

 

Download signing certificate from AD FS:

Image Removed

...

  1. Find the certificate in the AD FS

    Image Added

  2. Select ‘View Certificate’.
  3. Go to ‘Details’.
  4. Click ‘Copy to file’. 
  5. Then open the file in a text editor and copy the string to onelogin.saml2.idp.x509cert.

 

 

...

 

Anchor
registerSAMLidentity
registerSAMLidentity

...

Note. Each time when you modify onelogin.saml.properties, you need to update the Yellowfin Relying Party Trust metadata in AD FS.

...

That means you need to pass an email address as a name id ID from the AD FS. Your claim rules should look like below.

...

  1. Click ‘Add Rule’ and choose ‘Sent LDAP Attributes as Claims’.
  2. Provide it with the name and add all the attributes you want to pass to the SAML Bridge.
  3. To do automatic user provision via SAML Bridge, you need to pass at least email address, user name, user surname.
  4. You need to pass a proper user ID corresponding to the Yellowfin authentication method (either name ID or email addresses).
  5. Make sure that whatever you pass as email addresses attribute indeed keeps email addresses. It can be User-Principal-Name or E-Mail-Addresses.




  6. Note: You may want to add more AD attributes to be able to do user provision via SAML Bridge like default user role, group memberships etc. Additional modification to SAML Bridge web.xml and acs.jsp files will be required.

 

Transform email address into name ID

  1. Click ‘Add Rule’. This time, select ‘Transform an Income Claim’ this time. 
  2. Select ‘E-Mail Address’ as the ‘Incoming claim type’. 
  3. Then select ‘Name ID’ as the ‘Outgoing claim type’ and ‘Email’ as ‘Outgoing name ID format’ (this should correspond to onelogin.saml2.sp.nameidformat of onelogin.saml.properties file).


 

 

...

 

Anchor
ssoservice
ssoservice

...