Authenticate users with AD FS and DigiCert® account
This guide provides all the steps needed to integrate Active Directory Federation Service (AD FS) with your existing DigiCert services so your Active Directory users can have a single sign-on experience when accessing DigiCert® Trust Assistant.
Introduction
Active Directory Federation Service (AD FS) manages authentication, through a proxy service, for users in an Active Directory domain who need access to an application not in that domain. By enabling SAML authentication between DigiCert ONE and AD FS, your Active Directory users can have a single sign-on experience with DigiCert® Trust Assistant.
As part of the integration process, you must configure SAML settings in Account Manager (AM) and create a relying party trust in AD FS. You must also transfer DigiCert's metadata to the trust and the trust's metadata to DigiCert. To complete this process, we recommend that you use the Checklist for integrating AD FS with DigiCert® Trust Assistant.
Checklist for integrating AD FS with DigiCert® Trust Assistant
Use the following checklist to integrate Active Directory Federation Service (AD FS) with DigiCert® Trust Assistant. Perform the tasks in the listed order.
Task | Section |
---|---|
Ensure that you and your environment meet the requirements for integration. | |
Enable SAML authentication in DigiCert® Account Manager | |
In AD FS, add a relying party trust for DigiCert® | |
In AD FS, add rules that match attributes in Active Directory to claims in the relying party | |
In AD FS, ensure that the trust uses SAML signing for both requests and assertions | |
Save the AD FS metadata and upload to Account Manager (AM) |
Prerequisites
To integrate Active Directory Federation Service (AD FS) with DigiCert® account, you or your working environment must comply with the following requirements:
Your environment is a managed Windows domain.
AD FS is installed in the domain.
You have permission to configure AD FS.
Enable SAML authentication in DigiCert® Account Manager
Use single sign-on (SSO) with security assertion markup language (SAML) to connect your identity provider (IDP) with DigiCert ONE. You configure SAML authentication settings in Account Manager (AM). You will also download metadata that you need for configuring the Active Directory Federation Service.
For the detailed procedure, see Configure single sign-on with SAML.
Add a relying party trust
In the snap-in for Active Directory Federation Service (AD FS) management, you add a relying party trust to represent the trust between the Federation Service and DigiCert® ONE.
Note
For this part of the process, you need the DigiCert® metadata that you downloaded in Enable SAML authentication in DigiCert® Account Manager.
Sign in as an administrator to the Windows server where you have installed AD FS.
Your sign-in account must have permission to configure AD FS settings.
From Server Manager, open AD FS > Tools > AD FS Management.
Select Relying Party Trust > Add Relying Party Trust.
In the Add Relying Party Trust wizard, select Claims aware.
Select Start.
To specify the data source, complete the following steps:
Select Import data about the relying party from a file.
For the Federation metadata file location, browse to the DigiCert® metadata file that you previously exported.
Select Next.
For Specify Display Name, enter a name for the relying party, then select Next.
For Choose Access Control Policy, select the policy that you want to use for the trust, then select Next.
In the Ready to Add Trust page, verify the configuration settings, then select Next.
Select the Configure claims issuance policy for the application checkbox.
Select Close.
Add rules to a relying party trust
The integration process needs to match attributes in Active Directory to claims in the relying party, which in this case is a DigiCert® application. To map and send the attributes, you add two rules to the relying party trust that you previously created.
Open the AD FS Management console.
Select Relying Party Trusts, then select the trust that you want to configure.
Select Edit Claim Issuance Policy...
To configure the rule for mapping LDAP attributes to claims in the relying party, select Add Rule.
For the Rule Type in the Add Transform Claim Rule wizard, select Send LDAP Attributes as Claims, then select Next.
To configure the rule attributes, complete the following steps:
Enter a name for the rule.
For Attribute store, select Active Directory.
Map the LDAP attributes to outgoing claim types as indicated in the following table:
For LDAP Attribute
For Outgoing Claim Type
E-Mail-Addresses
Select E-Mail-Address
Given-Name
Type in
firstName
Surname
Type in
lastName
(Optional) Add more LDAP attributes from your identity provider that you want to expose in the SAML response.
For example, to include group membership for each user, map the LDAP Attribute Is-Member-of-DL to the outgoing claim type Group. This configuration would prompt the following type of SAML response:
... <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>user1@test.digicert.com</AttributeValue> </Attribute> <Attribute Name="firstName"> <AttributeValue>Demo</AttributeValue> </Attribute> <Attribute Name="lastName"> <AttributeValue>User1</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/claims/Group"> <AttributeValue>CN=DigiCert Test Users,CN=Users,DC=test,DC=digicert,DC=com</AttributeValue> <AttributeValue>CN=Remote Management Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue> <AttributeValue>CN=Remote Desktop Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue> </Attribute> </AttributeStatement> ...
Select Finish.
To configure the rule for sending the mapped LDAP attributes to the relying party trust, select Add Rule.
For the Rule Type in the Add Transform Claim Rule wizard, select Transform an Incoming Claim, then select Next.
Enter a name for the rule.
For Incoming claim type, select E-Mail Address.
For Outgoing claim type, select Name ID.
For Outgoing Name ID format, select Email.
Select Pass through all claim values.
Select Finish.
Enable SAML request signing on the relying party trust
To enable signing for both SAML request and assertion, you modify the AD FS configuration. After successful authentication of a SAML request, the identity and service providers exchange assertion messages that identify the user and what the user is authorized to access.
DigiCert ONE requires that both the SAML request and assertion be signed by the identity provider.
Open Powershell with an Administrator account that has permission to edit the AD FS configuration.
Enter the following command:
Set-AdfsRelyingPartyTrust -targetname "
<Relying Party Name>
" -SamlResponseSignature MessageAndAssertionwhere
<Relying Party Name>
represents the name of the service provider.For example:
Set-AdfsRelyingPartyTrust -targetname "SAML DC1 Login" -SamlResponseSignature MessageAndAssertion
Configure SAML authentication
To give your Active Directory users a single sign-on experience with DigiCert ONE, set up authentication through security assertion markup language (SAML). As part of the process, you will configure SAML authentication settings in Account Manager (AM). You also must exchange metadata between the relying party trust in AD FS and DigiCert by downloading an xml file from each application and uploading it to the other. This section includes steps for downloading the DigiCert metadata and for uploading the AD FS metadata.
Open
https://<adfs_host>/FederationMetadata/2007-06/FederationMetadata.xml
in a browser, and save the xml.Access the Account Manager (AM) Single sign-on with SAML page and select Upload IDP metadata.
Upload the
FederationMetadata.xml
downloaded from AD FS and select Save.
Note
After you complete this procedure, refer to Create a DigiCert ONE Login profile for the next steps.
Troubleshooting
If login fails during Test user creation and certificate issuance, new configurations may not have been applied on AD FS.
Open services.msc
and try rebooting the service for AD FS.