Creating Authentication Service roles for WS-Federation or WS-Trust - Security Center 5.11

Security Center Administrator Guide 5.11

Product
Security Center
Content type
Guides > Administrator guides
Version
5.11
Language
English
Last updated
2024-07-05

For Security Center to receive claims from an ADFS server using the WS-Trust or WS-Federation protocols, you must create and configure an Authentication Service role.

Before you begin

What you should know

The Authentication Service role connects Security Center to an external identity provider for third-party authentication.

You must create one Authentication Service role for WS-Trust or WS-Federation in Security Center for each root ADFS. In our sample scenario, the local ADFS server is the root ADFS, therefore only one Authentication Service role is needed.

If you do not have a local ADFS server, but multiple independent third-party ADFS servers acting as identity providers for Security Center, then you need to create one Authentication Service role for each of them.

Procedure

  1. From the Config Tool homepage, open the System task and click the Roles view.
  2. Click Add an entity () > Authentication Service.
  3. On the Specific info page, select WS-Federation or WS-Trust, and click NextTest.
    NOTE: These protocols can only be selected at role creation.
  4. In the Basic information page, enter a name and description for the role.
  5. Select a Partition this role is a member of, and click Next.
    Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see the ADFS role.
  6. Click Next > Create > Close.
    A new Authentication Service role () is created.
  7. Click the Properties tab, and configure the Trust chain (domains).
    1. Click Add an item (), configure the local ADFS server, and click OK.
      Domain
      This is the domain of your local ADFS server. Example: YourDomain.com.
      URL
      This is the address of the metadata document for your ADFS server. It is always in the following format: adfs.YourCompany.com

      Replace YourCompany.com with the name of your ADFS server.

      Security Center
      Relying party
      This is the identifier that was entered as the Relying party identifier when you added the relying party trust for Security Center.

      The relying party identifier is how Security Center identifies itself to the ADFS server, even when the role fails over to another server.

      Web-based authentication (WS-Federation)
      Select this option to enable web-based authentication (default=OFF).
      IMPORTANT: Supervised user logon does not work if you enable web-based authentication, because the user authentication is handled outside of .
    2. Click Add an item (), configure the remote ADFS server, and click OK.
      Domain
      This is the domain of the remote ADFS server. Example: CompanyXYZ.com.
      Users from that domain must append the domain to their usernames when they log on to Security Center.
      Example: johnny@CompanyXYZ.com.
      URL
      This is the address of the remote ADFS server's metadata document. It is always in the following format: adfs.CompanyXYZ.com

      Replace CompanyXYZ.com with the name of the remote ADFS server.

      Override relying party
      (Advanced setting) Select this option if the claims provider on this domain expects a different audience in the token request made by the relying party, and enter the value it expects.
    3. If you configured more than one remote ADFS servers as claims providers to your local ADFS server, add them now.
  8. Configure the external user groups that Security Center is going to accept.
    1. In the Accepted user groups section, click Add an item ().
    2. In the dialog box that opens, select the user groups mapped to the remote ADFS groups, and click OK.
    Users who are members of the accepted user groups can log on to your system. Security Center does not keep nor validate their passwords. The ADFS server does. Security Center simply trusts them as authentic users if the ADFS accepts them.
    NOTE: External users who must be authenticated by ADFS using the WS-Trust protocol must append their domain name to the end of their username, such as Username@CompanyXYZ.com, on the Security Center logon screen.
  9. Click Apply.