Configuring SAML Single Sign-on

ADFS requires MetaDefender Core to enable HTTPS for connections. Please follow these steps to first enable HTTPS on MetaDefender Core.

Add Relying Party Trust for ADFS

  1. In the top right corner of Server Manager, click Tools and select AD FS Management from the drop-down list.
  1. In AD FS window, right click on Relying Party Trusts and select Add Relying Party Trust from the drop-down menu.
  1. In Add Relying Party Trust Wizard, select Claims aware on the Welcome page and click Start.
  2. On Select Data Source page, choose Enter data about the relying party manually and click Next.
  3. On Specify Display Name page, provide a descriptive name for your relying party, e.g. MDCORE_SAML, and click Next.
  1. Click Next on Configure Certificate page.
  2. On Configure URL page, check the box for Enable support for the SAML 2.0 WebSSO protocol and set a placeholder, using https://myplaceholder as an example, for Relying party SAML 2.0 SSO service URL.
  1. On Configure Identifiers page, set MDCORE_SAML as Relying party trust identifier, then click Add and Next.
  1. On Choose Access Control Policy page, select Permit everyone and click Next.
  2. Click Next on Ready to Add Trust page to save your information.
  3. If everything goes well, Finish page will be displayed for you to click Close.

Configure claims Issuance Policy for ADFS

  1. In Relying Party Trusts table of AD FS window, navigate to the item MDCORE_SAML that was added in the previous step, right-click on it, and select Edit Claim Issuance Policy... from the drop-down menu.
  1. Click Add Rule.
  2. Select Send LDAP Attributes as Claims for Claim rule template, and click Next.
  1. Enter a name for Claim rule name, for instance, display_name. Select Active Directory for Attribute Store. Under LDAP Attribute column, choose Display-Name from the drop-down list, type given_name for the Outgoing Claim Type column, and click Finish.
  1. Click Add Rule once more. At Choose Rule Type option, select Transform an Incoming Claim for Claim rule template and click Next.
  1. Enter name_id for the Claim rule name and given_name from step 4 for Incoming claim type. Select Name ID for Outgoing claim type and Transient Identifier for Outgoing Name ID format from the respective drop-down lists. Finally, check Pass through all claim values and click Finish.
  1. Click Apply on the next page and OK to close the wizard.

Create a SAML directory in MetaDefender Core

  1. Sign in to MetaDefender Core.
  2. On the dashboard, click User Management in the left sidebar.
  3. On User Management page, select Directories tab and click Add Directory in the top right corner .
  1. On Add Directory page, choose SAML as Directory type.
  2. Enter the name of the new directory, such as ADFS_SAML .
  3. In Service Provider section, check Use custom entity ID and type MDCORE_SAML in Custom entity ID text box.
  1. In Service Provider section, fill in Host or IP filed with the address where MetaDefender Core is hosted , using https://localhost:8008 as an example.
  2. Copy Login URL.

Modify Replying Party Trust on ADFS

  1. Access AD FS Management tool from Server Manager, select Relying Party Trusts, right click on the item MDCORE_SAML, and choose Properties.
  1. Navigate to Endpoints tab, select https://myplaceholder, and click Edit.
  1. Select POST from the drop-down list for Binding. Check Set the trusted URL as default, then paste the Login URL from MetaDefender Core into Trusted URL and click OK.
  1. Click Apply and OK to complete the Relying Party Trust modification.

Complete configuration in MetaDefender Core

  1. Access AD FS Management tool from Server Manager, expand AD FS --> Service --> Endpoints. In Endpoints panel, navigate to Metadata section and copy the URL path of type Federation Metadata.
  1. Build the complete URL to the metadata endpoint by appending the path from step 1 to the qualified domain name of ADFS.
HTML
Copy
  • For example:
HTML
Copy
  1. Switch back to MetaDefender Core. Under the section Identity Provider, click Fetch URL and paste the link above into the box under Fetch URL, then click OK to ensure MetaDefender Core can set ADFS as its IDP.
  2. Under the section Service Provider, fill in the user identity under User identified by with the configured values of Outgoing Claim Type, e.g. ${given_name}.
  3. Select the appropriate role for the user under User Role.
  4. Click Add to complete the settings.
  1. On User Management screen, toggle the new directory ADFS_SAML in this example. A dialog box appears to confirm the action. Once Enable is clicked, all sessions are immediately expired, and ADFS is used to authenticate the user.

Test the integration

  1. Click Login from the home screen of MetaDefender Core; the user is redirected to ADFS page.
  1. Sign in with the account created in the system domain.
  2. If everything goes right, the MetaDefender Core dashboard is displayed with the user identity set in the top right corner.
  1. Otherwise, access backup login page at <mdcore-host>#/public/backuplogin for trouble shooting.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Configuring OIDC Single Sign-on
On This Page
Configuring SAML Single Sign-onAdd Relying Party Trust for ADFSConfigure claims Issuance Policy for ADFSCreate a SAML directory in MetaDefender CoreModify Replying Party Trust on ADFSComplete configuration in MetaDefender CoreTest the integration