Adding a relying party trust for Security Center - Security Center 5.11

Security Center Administrator Guide 5.11

Product
Security Center
Content type
Guides > Administrator guides
Version
5.11
Language
English
Last updated
2024-07-05

For an ADFS server to act as the claims provider for your Security Center system, you must add Security Center to the relying party trusts of the ADFS server.

Before you begin

  • The AD FS Management window must be open on your ADFS server.
  • If Directory failover is configured on your system, know the hostname of each Directory server.

What you should know

This task is part of the deployment process for third-party authentication using ADFS based on a sample scenario. The instructions and screen captures are based on Windows Server 2016. If you are using a different version, your procedure might be different.
NOTE: If you are not enabling web-based authentication, click Next instead of executing the steps that are marked "(WbA only)".

Procedure

  1. In the AD FS window, click Relying Party Trusts > Add Relying Party Trust.
    The Add Relying Party Trust Wizard window opens
  2. On the Welcome page, click Start > Enter data about the relying party manually > Next.
    You can leave Claims aware selected.
  3. On the Specify Display Name page, enter in the Display name field, a name that represents your Security Center system, and click Next.
    For example, YourCompany Security Center.
  4. (Optional) On the Configure Certificate page, specify a token encryption certificate and click Next.
  5. (WbA only) On the Configure URL page, select Enable support for the WS-Federation Passive protocol and enter the URL of your Security Center main server, and then click Next.
    For example: https://MainServer.YourCompany.com

  6. (WbA only) On the Configure Identifiers page, enter in the Relying party trust identifier field, a string that identifies your Security Center main server, and click Add.
    IMPORTANT: An example would be to use the URL of your main server: https://MainServer.YourCompany.com. Write this value down. You need to enter this identifier in a subsequent step, when you configure the Authentication Service role on the Security Center server.
    Best Practice: We recommend using the default value configured for the Authentication Service role, urn:federation:SecurityCenter, so you have one less thing to remember.

  7. (WbA only) In the Relying party trust identifiers list, select the row that corresponds to your main server URL and click Remove > Next.
  8. In the Choose Access Control Policy page, select Permit everyone and click Next.
  9. In the Ready to Add Trust page, click Identifiers, and verify the identifiers you entered.
  10. Click Next, leave Configure claims issuance policy for this application selected, and click Close.
    The Security Center main server is added to the relying party trusts of your ADFS server.
  11. If Directory failover is configured on your system, you must add the URL of each Directory server as endpoints to the Security Center relying party trust of your ADFS server.
    NOTE: The Authentication Service role runs on the same server as the Directory role. When the Directory role fails over to the next server in line, the Authentication Service role also fails over to the same server. For this reason, the ADFS server must know the URL of every Directory server you have in your system. For the server URL, enter https:// followed by the fully qualified hostname.
    1. In the AD FS window, select the Security Center relying party trust, and click Properties > Endpoints.
    2. Click Add WS-Federation, enter the URL for each of a Directory server, and click OK.
    3. Repeat the previous step for all Directory servers on your system.
    4. Click Apply > OK.