Active Directory Federation Services, AD FS, or ADFS is microsoft’s implementation of authen- tication federation. It is also the same technology used by Office 365 as Azure Active Directory to establish SSO for web applications like EnhanceTV. The process in setting it up is similar in concept to the process of setting up a Google SAML account. See: other help document name and hyperlink it. What you are doing is adding a Relying Party Trust for EnhanceTV. NOTE: It is recommended that this configuration be performed by an experienced Windows Server administrator. TERMINOLOGY The terminology used by Microsoft is different to Google’s terminology for setting up SAML SSO, but the operation is conceptually the same. Enhance TV still needs to have the ADFS IdP metadata put into the school’s SSO Setup as described in the previous section, and the ADFS SAML application setup equivalent will still need EnhanceTV’s SP metadata. Reference: https://docs.pivotal.io/p-identity/1-2/adfs/config-adfs.html#adfs AUDIENCE Institution administrators. It is recommended that this configuration be performed by an experienced Windows Server administrator.. PURPOSE Setting up EnhanceTV SSO for a whole Institution. Microsoſt AD FS Integration with ETV
19
Embed
Microsoft AD FS Integration with ETV...2. Click Add Relying Party Trust 3. Click Next. The Add Relying Party Trust wizard will run. 4. Select the Import data about the relying party
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Active Directory Federation Services, AD FS, or ADFS is microsoft’s implementation of authen-tication federation. It is also the same technology used by Office 365 as Azure Active Directory to establish SSO for web applications like EnhanceTV.
The process in setting it up is similar in concept to the process of setting up a Google SAML account. See: other help document name and hyperlink it.
What you are doing is adding a Relying Party Trust for EnhanceTV.
NOTE: It is recommended that this configuration be performed by an experienced Windows Server administrator.
TERMINOLOGYThe terminology used by Microsoft is different to Google’s terminology for setting up SAML SSO, but the operation is conceptually the same. Enhance TV still needs to have the ADFS IdP metadata put into the school’s SSO Setup as described in the previous section, and the ADFS SAML application setup equivalent will still need EnhanceTV’s SP metadata.
ClaimName ID Format and the attribute mapping on the Google Admin Console
Claim Mapping
EnhanceTV uses the email address, so that needs to be included in the claim attribute mapping. The Name ID Format should be the equivalent to “unspecified”
ADFS SSO INFORMATIONThis article will provide guidance on SAML Integration with EnhanceTV.
It is important to understand that the SAML Integration process is a HTTPS only process and customers must ensure that they possess at least a 2048-Bit RSA Certificate from a reputable Certificate Authority.
Currently EnhanceTV supports Single Sign-On (SSO) integration for most SAML2 Protocol based authentication systems including but not limited to:
• Active Directory Federation Services (ADFS)
NOTE:
• If the implementation of Single Sign On at your institution will lead to a change in the e-mail addresses that users at your institution currently uses for EnhanceTV access, plea-se ensure that this is specified when sending your completed SSO setup information back to EnhanceTV - this is necessary so that EnhanceTV can assess whether users’ existing EnhanceTV material such as Workspace videos, Playlists etc, will need to be migrated during the enabling of SSO for your institution.
• If you are not sure of this, please contact EnhanceTV Support for further guidance prior to commencing the SSO setup.
Find the URL for you institution’s geographic location under the SSO Setup area of your Enhan-ceTV admin account.
For example: https://www.enhancetv.com.au/saml2/25100/metadata where 25100 is the ID of the users’ Institution and dynamically generated by the website.
NOTE: Please ensure that the On-Boarding Document contains your own institution’s metada-ta URL and entity ID, not that of EnhanceTV.
INTEGRATION PROCESS WITH MICROSOFT ADFS 2.0 / 3.0Before you start, please ensure your ADFS ‘Organisation’ information is published with your Federation Metadata.
1. Right-click on the folder in the top left hand pane and select ‘Edit Federation Service Pro-perties
3. Tick the Publish Organization information in federation metadata check box
4. Complete the fields in the Support contact information section. It is mandatory that this section is completed with valid data.
NOTE: Customers running an Active Directory with functional level of 2003 or higher will be able to take advantage of Microsoft’s ADFS 2.0 or 3.0 SSO System for integrating with Enhan-ceTV Online.
INSTALLING ACTIVE DIRECTORY FEDERATION SERVICES (AD FS) ON A WINDOWS 2008 R2 SERVER
Below is a brief walk-through on how the ADFS Service can be installed on a Windows 2008 R2 Server. Support for setting up an AD FS farm is beyond the scope of this help documentation and the procedure below is provided as a courtesy. Seek additional support before attempting this procedure if required.
1. Open Start
2. Click Administrative Tools
3. Click AD FS 2.0 Management or AD FS 3.0 Management
4. Click AD FS Federation Server Configuration Wizard
5. Click the Create a New Federation Service radio button
6. Click the Create New Federation Server Farm radio button
NOTE: Choose the New Federation Server Farm option even if you only plan on deploying one server. If stand-alone federation server is chosen, then you will not be able to add a new server to your AD Network.
NOTE: If you get an error message “The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.” it indicates that the name of the federation service is already in use. Use setspn.exe to set the proper SPN.
CONFIGURING FEDERATION TRUST WITH ENHANCETVNow that the ADFS Service has been installed you are ready to set up the Relying Party Trust.
4. Select the Import data about the relying party published online or on a local network radio button
5. In the Federation metadata address field, enter the EnhanceTV SAML Metadata URL. As mentioned at the start of this article, this is obtained from the SSO Setup area of your admin account.
6. Click Next
The Specify Display Name screen displays.
7. You can retain the default Display Name or change it accordingly. This name will display in your list of AD FS services so we recommend that the name is set to EnhanceTV.
9. Select Permit all users to access this relying party and click Next
10. Click Next & Finish
11. If you are running AD FS 3.0, it is necessary to ensure that both Forms Authentication and Windows authentication are enabled within the Global Authentication Policy as per the screenshot below:
CREATING CLAIM RULES FOR EXPOSURE OVER SAML ADFS 2.0 / 3.0For successful ADFS Integration with EnhanceTV we require the following attributes exposed:
• Email Address
• Give Name
• Display Name
During the authentication process, the user’s group membership is enumerated and the res-pective group membership that is mapped to EnhanceTV is chosen.
In accordance with the SAML2 protocol the following rule templates must be used when expo-sing the above attributes over ADFS.
There are 2 options for mapping outgoing claim rules to EnhanceTV.
1. Issuance Mapping Option (Easiest)
2. Custom Rules Options (Technical)
OPTION 1: ISSUANCE MAPPING OPTION (EASIEST)
The easiest way to map the outgoing claim rules to EnhanceTV is to provide various custom rules.
NOTE: These rules will vary depending on your AD FS set up.
5. Once the above attributes have been mapped, add them to the SSO Setup area of the ma-nagement account. Contact EnhanceTV Technical Support with your completed details for support with the integration process.
SAML2 ATTRIBUTES FOR INTEGRATION WITH 3RD PARTY IDP’SDue to the many different IdP Solutions in the market implementing the SAML2 protocol we have compiled a list of the necessary attributes required to be exposed over your respective IdP in order for successful federation with EnhanceTV.
These documents are provided as a helpful guide only. Enhance TV is not responsible for the accuracy or completeness of the content within the documents or any issues arising from the application of the instructions provided. Users are advised to seek their own technical assistance from qualified experts.