Creating Authentication Service roles for WS-Federation or WS-Trust - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-10-17

For Security Center to receive claims from an ADFS server using the WS-Trust or WS-Federation protocols, you must create and configure an Authentication Service role.

Before you begin

What you should know

The Authentication Service role connects Security Center to an external identity provider for third-party authentication.

Create one Authentication Service role for WS-Trust or WS-Federation in Security Center for each root ADFS. In our sample scenario, the local ADFS server is the root ADFS; therefore only one Authentication Service role is needed.

If you do not have a local ADFS server but multiple independent third-party ADFS servers acting as identity providers for Security Center, you need to create one Authentication Service role for each of them.

Unlike Azure and Okta, Security Center does not offer much assistance in the identity provider configuration when you create an Authentication Service role with Provider:Other.

Procedure

  1. From the Config Tool homepage, open the System task and click the Roles view.
  2. Click Add an entity () > Authentication Service.
    The Creating a role: Authentication Service window opens.
  3. In the Specific info section, select the identity provider and the authentication protocol and click Next.
    Provider
    Other
    Protocol
    WS-Federation or WS-Trust
    NOTE: These protocols can only be selected at role creation.
  4. In the Basic information section, enter a name and description for the role.
  5. If there are partitions in your system, select the partition of which this role is a member and click Create.
    Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see the ADFS role.
  6. On the Before you continue page, click Start.
  7. On the Accepted domains page, add the domain names of users who can authenticate using this Authentication Service.
    1. Click Add an item (), configure the local ADFS server and click OK.
      Domain
      Domain of your local ADFS server. Example: YourDomain.com.
      URL
      Address of the metadata document for your ADFS server. It is always in the following format: adfs.YourCompany.com.

      Replace YourCompany.com with the name of your ADFS server.

      Relying party
      Identifier that was entered as the Relying party identifier when you added the relying party trust for Security Center.

      The relying party identifier is how Security Center identifies itself to the ADFS server, even when the role fails over to another server.

      Enable passive authentication
      Select this option to enable web-based authentication (default=OFF).
      IMPORTANT: Supervised user logon does not work if you enable passive authentication because the user authentication is handled outside of Security Center.
    2. Click Add an item (), configure the remote ADFS server and click OK.
      Domain
      Domain of the remote ADFS server. Example: CompanyXYZ.com.
      Users from that domain must append the domain to their usernames when they log on to Security Center.
      Example: johnny@CompanyXYZ.com.
      URL
      Address of the remote ADFS server's metadata document. It is always in the following format: adfs.CompanyXYZ.com.

      Replace CompanyXYZ.com with the name of the remote ADFS server.

      Override relying party
      (Advanced setting) Select this option if the claims provider on this domain expects a different audience in the token request made by the relying party and enter the value it expects.
    3. If you configured more than one remote ADFS server as claim providers to your local ADFS server, add them now.
  8. Click Next.
  9. In the Groups section, click Add an item () to add a user group:
    • Select an existing group.
      Users who are members of the accepted user groups can log on to your system. Security Center does not keep or validate their passwords. The ADFS server does. Security Center simply trusts them as authentic users if the ADFS accepts them.
      NOTE: External users who must be authenticated by ADFS using the WS-Trust protocol must append their domain name to the end of their username, such as Username@CompanyXYZ.com, on the Security Center logon screen.
    • Create a new group.
  10. Click Next.
  11. On the Test the configuration page, click Test logon to validate the configuration and click Next.
  12. On the Creation outcome page, verify that the information is correct and click Next > Close.