In order for Security Center to receive claims from an ADFS server, you need to create and configure an ADFS role within Security Center.
Before you begin
- All ADFS servers involved in the trust chain must be fully configured.
- Map the accepted remote ADFS groups to Security Center user groups.
What you should know
You need to create one ADFS role in Security Center for each root ADFS you have. In our sample scenario, your local ADFS server is your root ADFS, therefore you only need to create one ADFS role.
In a situation where you do not have a local ADFS server, but multiple independent third-party ADFS servers acting as security token services for Security Center, then you need to create an ADFS role for each of them, and add a relying party trust for Security Center to each of these ADFS server's configuration.
- From the Config Tool home page, open the System task, and click the Roles view.
- Click Add an entity () > Active Directory Federation Services.
- In the Basic information page, enter a name and description for the role.
Select a Partition this role is a member of, and click
Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see the ADFS role.
.A new ADFS role () is created.
Click the Properties tab, and configure the Trust
Click Add an item (), configure the ADFS server, and click
- This is your local ADFS server's domain. Example: YourDomain.com.
- This is the address of your ADFS server's metadata document. It is
always in the following format:
Replace YourCompany.com with the name of your ADFS server.
- Relying party
- This is the identifier that was entered as the Relying
party identifier when you added the relying party
trust for Security
This is how Security Center identifies itself as the relying party to the ADFS server, even when the role fails over to another server.
- Enable passive authentication
- Select this option to enable passive authentication (default=OFF).IMPORTANT: Supervised user logon would not work if you enable passive authentication. This is because the user authentication is handled outside of Security Center.
Click Add an item (), configure the remote ADFS server, and click
- This is your remote ADFS server's domain. Example: CompanyXYZ.com.
- Users from that domain must append the domain to their usernames when they log on to Security Center.
- Example: johnny@CompanyXYZ.com.
- This is the address of the remote ADFS server's metadata document. It
is always in the following format:
Replace CompanyXYZ.com with the name of the remote ADFS server.
- Override relying party
- (Advanced setting) Select this option if the claims provider on this domain expects a different audience in the token request made by the relying party, and enter the value it expects.
- If you configured more than one remote ADFS servers as claims providers to your local ADFS server, add them now.
- Click Add an item (), configure the ADFS server, and click OK.
Configure the external user groups that Security
Center is going to accept.
All users who are members of the accepted user groups would be able to log on to your system. They must all append their domain name after their username in order to log on. Security Center does not keep nor validate their passwords. The ADFS server does. Security Center simply trusts them as authentic users if the ADFS accepts them.
- In the Accepted user groups section, click Add an item ().
In the dialog box that opens, select the user groups mapped to the remote
ADFS groups, and click OK.
- Click Apply.