You can use an Active Directory Federation Services (ADFS) server as an identity provider for Security Center, and allow users outside your company to log on by establishing a trust chain from third-party ADFS servers to the Security Center main server.
Before you begin
- Be familiar with the concepts of third-party authentication.
- Ensure that your ADFS server is operational. For general information on ADFS installation and configuration, refer to the documentation for your version of the product software.
This deployment process uses the following a sample scenario:
What you should know
- Users from Company XYZ must access your Security Center system.
- Company XYZ servers are not on the same domain as your servers.
- Company XYZ has an ADFS server using WS-Trust or WS-Federation that relies on Active Directory as the identity provider.
For external users from Company XYZ to access Security Center, a chain of trusts must be established from the Active Directory of Company XYZ to the main server of your Security Center system, as follows:
NOTE: Security Center requires specific attributes as claims: Group and UPN (User Principal Name).
Best Practice: If you want to use security groups from your local Active Directory as Security Center user groups, do not federate them through an Authentication Service role, but import them from Active Directory instead. Importing from Active Directory offers more functionality, such as synchronizing all standard fields (first name, last name, email address, and so on), custom field mapping, and the option to create all users during role synchronization.
- Company XYZ must add a relying party trust to their ADFS server for your ADFS server.
Configure your local ADFS server as follows:
- Add a claims provider trust for the third-party ADFS server.
- Configure the claim rules for the third-party claims provider.
- Add a relying party trust for Security Center.
- Configure the claim rules for Security Center.
Configure Security Center to perform
third-party authentication through ADFS.
- Connect to your Security Center system with Config Tool.
- Create a user group for each ADFS group you accept as Security Center user group.
- Create an Authentication Service role for third-party authentication using WS-Trust or WS-Federation.
Incoming users can now be authenticated by ADFS.
NOTE: External users who must be authenticated by ADFS using the WS-Trust protocol must append their domain name to the end of their username, such as Username@CompanyXYZ.com, on the Security Center logon screen.
IMPORTANT: There is currently a known issue regarding the use of a local Active Directory and ADFS. When you have external users authenticated through ADFS in your system, all users imported from your local Active Directory must also use fully qualified user names, even though they belong to the same domain as your Security Center system.