ADFS is a standards-based service that allows the secure sharing of identity information between trusted business partners. This guide will hopefully give people information on how to successfully authenticate users into Bridge using ADFS as the SAML Identity Provider (IdP).
The first thing to do to set up SAML with ADFS is to generate the necessary Service Provider (SP) metadata in Bridge.
- To start, log in to Bridge as an admin and navigate to Account Management and then Account settings.
- Near the top of the page select the Auth option.
- Scroll down until you see the SAML 2.0 option and click the enable button.
- For this step you will need your ADFS IdP metadata it can generally be found at this address:
- Select the "Manual Configuration" option from the top drop down and uncheck the "Sign Authentication Requests" and "Use Name Qualifiers on Entity IDs" options unless necessary.
- Place the IdP Entity ID, the Sign On URL, the X509 Certificate, any authentication context (optional), and the Name ID Format.
- You can also adjust the clock drift to accommodate clock differences between IdP and SP.
- By default, the Authentication Lifetime is set to a week (604800 Seconds). This should match your IdP defined Max Authentication Lifetime.
- Click save at the bottom of the page and wait for Bridge to generate your metadata link.
Initial Setup (setting up a trust)
Load the AD FS 2.0 Management console as an administrator, most likely on the local network.
- Under Trust Relationships, right-click on Relying Party Trusts and select Add Relying Party Trust.
The Add Relying Party Trust wizard displays with one of the following two methods:
Select the Import data about the relying party published online or on a local network option.
- This requires that SAML has been turned on for the instance as described above.
In the box, enter the url provided as the Audience URI on the Bridge SAML page and click Next.
Enter the display name you’d like your users to see, and click Next.
Select the Permit all users to access this relying party option, and then click Next. Click Next again.
Select the Open the edit claim rules dialog for this relying party trust when the wizard closes check box, and click Close.
Making some sweet claim rules!
The Edit Claim Rules dialog box displays.
On the Issuance Transform Rules tab, click Add Rule.
In the wizard that displays, select Send LDAP Attributes as Claims from the Claim Rule Template drop-down, and then click Next.
Complete the following fields as indicated below, and then click Finish:
Claim rule name: Whatever name you'd like to use. Something descriptive with a bunch of adjectives.
Attribute store: Active Directory
LDAP Attribute: Choose the attribute you’d like to map to the Bridge user account login name. THIS IS THE UNIQUE IDENTIFIER IN BRIDGE!!!
Outgoing Claim Type: Name ID
The rule you created should display on the Issuance Transform Rules tab. Click OK. A new relying party trust should display in the AD FS 2.0 Management console.
Right-click on the name of the trust, and select Properties.
- Click OK and you're all done.
|Error in ADFS Logs: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId||Make sure the Name ID Format in Bridge is blank|