Add Relying Party Trust
- In Server Manager, click Tools, and then select AD FS Management.
2. In the folder tree on the left, under AD FS, right click Relying Party Trusts and select add Relying Party Trusts.
3. select Claim Aware and click next/start
4. choose "import data about relying part from a file". use file at https://www.dropbox.com/s/0ft3kku6hpsh21k/metadata.xml?dl=0 (please download).click next.
5. Add "EdSmart_RelyingParty" as display name.
6. Give permissions to the Group.click next.
7. Finish
Add Rules
- In Server Manager, click Tools, and then select AD FS Management.
- Click on Edit claim issuance policy...
3. In the opened window, click add
4. Select Send Group Membership as a claim
5. Fill in values and finish
- Claim Rule Name: MembershipRule
- user`s group: browse Browse that group you want to allow from ssoto login using SSO.
- Outgoing claim type: Select Role
- Outgoing claim value: staff
6. Rule is added. Now double click it.
7. Click on View Rule Language
8. Copy the claim rule language text. and save it in notepad. we need it in next stuff.
click ok. and comeback to Edit claim issuance policy window.
9. Add another Rule.
...
10. Select Send Claims Using a Custom Rule
11.
- Claim rule name: CustomMembershipRule
- Custom rule: paste the text that we copied from previous step.
now we need to replace the highlighted URL to simply role(see next screenshot)
12. "URL" replaced with "role". Click finish.
13. you can remove the previously created MembershipRule
...
14. We need to add another rule. Select Send Claims Using a Custom Rule
15. Fill details and click finish.
...
Wiki Markup |
---|
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("UserID", "mail", "givenName", "sn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";mail,mail,givenName,sn,mail;{0}", param = c.Value); |
16 you are done it.
Federation service name and identifier.
- In Server Manager, click Tools, and then select AD FS Management.
- right click on AD FS, click Edit Federation Service Properties...
3. fill in details.
adfs-sandbox-04 is the public name against the ip address of VM where adfs is installed.
Subdomain related stuff(cloud flare and Azure
- IP address of VM to map to a domain for the federation xml data access via cloud flare
2. A suitable school name that will be added as subdomain under EdSmart for SSO.
3. On https://portal.azure.com go to App Services->pp-front-production-au -> Custom domains.
- Click Add hostname
- put subdomain.edsmart.com as Hostname
- select CNAME from Hostname record type
- Select pp-front-release-au.azurewebsite.net from CNAME dropdown
- click add/finish
4. On https://portal.azure.com go to App Services->pp-front-production-au -> SSL Settings.
- Add SSL Binding
- Select Hostname that you just added in previous step as custom domain
- Select EdSmart Certificate
- Select SSL Type as SNI SSL
- Click Add Binding
5. Done with subdomain.
Configuration in IIS
- right click on default site and add/edit binding.
- add https binding and select *.edsmart certificate while doing so.
How to add self signed certificate
go to server certificates.
select Create self signed cert from options from the right. give a name in the wizard and there you go.
Adding User
- In Server Manager, click Tools, and then select Active directory user and computers.
2. Then select right click User and select new→user.
- fill details, click next and give it a password.
- Save the password for later use.
- click finish
3. also add email id to the user. for that
...
Info |
---|
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...