For Security Center to receive claims from an ADFS server using the WS-Trust or WS-Federation protocols, you must create and configure an Authentication Service role.
Before you begin
- All ADFS servers involved in the trust chain are fully configured.
- ADFS groups have been mapped to Security Center user groups.
What you should know
You must create one Authentication Service role for WS-Trust or WS-Federation in Security Center for each root ADFS. In our sample scenario, the local ADFS server is the root ADFS, therefore only one Authentication Service role is needed.
If you do not have a local ADFS server, but multiple independent third-party ADFS servers acting as identity providers for Security Center, then you need to create one Authentication Service role for each of them.
- From the Config Tool home page, open the System task, and click the Roles view.
- Click Add an entity () > Authentication Service.
In the Specific info page, select WS-Federation
or WS-Trust, and click NextTest.
NOTE: These protocols can only be selected at role creation.
- In the Basic information page, enter a name and description for the role.
Select a Partition this role is a member of, and click
Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see the ADFS role.
.A new Authentication Service role () is created.
Click the Properties tab, and configure the Trust
Click Add an item (), configure the local ADFS server, and click
- This is the domain of your local ADFS server. Example: YourDomain.com.
- This is the address of the metadata document for your ADFS server. It
is always in the following format:
Replace YourCompany.com with the name of your ADFS server.
- Relying party
- This is the identifier that was entered as the Relying
party identifier when you added the relying
party trust for Security Center.
The relying party identifier is how Security Center identifies itself to the ADFS server, even when the role fails over to another server.
- Web-based authentication (WS-Federation)
- Select this option to enable web-based authentication (default=OFF).IMPORTANT: Supervised user logon does not work if you enable web-based authentication, because the user authentication is handled outside of .
Click Add an item (), configure the remote ADFS server, and click
- This is the domain of the remote ADFS server. Example: CompanyXYZ.com.
- Users from that domain must append the domain to their usernames when they log on to Security Center.
- Example: johnny@CompanyXYZ.com.
- This is the address of the remote ADFS server's metadata document. It
is always in the following format:
Replace CompanyXYZ.com with the name of the remote ADFS server.
- Override relying party
- (Advanced setting) Select this option if the claims provider on this domain expects a different audience in the token request made by the relying party, and enter the value it expects.
- If you configured more than one remote ADFS servers as claims providers to your local ADFS server, add them now.
- Click Add an item (), configure the local ADFS server, and click OK.
Configure the external user groups that Security Center is going to accept.
Users who are members of the accepted user groups can log on to your system. Security Center does not keep nor validate their passwords. The ADFS server does. Security Center simply trusts them as authentic users if the ADFS accepts them.NOTE: External users who must be authenticated by ADFS using the WS-Trust protocol must append their domain name to the end of their username, such as Username@CompanyXYZ.com, on the Security Center logon screen.
- In the Accepted user groups section, click Add an item ().
In the dialog box that opens, select the user groups mapped to the
remote ADFS groups, and click OK.
- Click Apply.