Skip to main content

Authenticate users with AD FS and DigiCert​​®​​ account

This guide provides all the steps needed to integrate Active Directory Federation Service (AD FS) with your existing DigiCert services so your Active Directory users can have a single sign-on experience when accessing DigiCert​​®​​ Trust Assistant.

Introduction

Active Directory Federation Service (AD FS) manages authentication, through a proxy service, for users in an Active Directory domain who need access to an application not in that domain. By enabling SAML authentication between DigiCert ONE and AD FS, your Active Directory users can have a single sign-on experience with DigiCert​​®​​ Trust Assistant.

As part of the integration process, you must configure SAML settings in Account Manager (AM) and create a relying party trust in AD FS. You must also transfer DigiCert's metadata to the trust and the trust's metadata to DigiCert. To complete this process, we recommend that you use the Checklist for integrating AD FS with DigiCert​​®​​ Trust Assistant.

Checklist for integrating AD FS with DigiCert​​®​​ Trust Assistant

Use the following checklist to integrate Active Directory Federation Service (AD FS) with DigiCert​​®​​ Trust Assistant. Perform the tasks in the listed order.

tabla 1. Checklist

Task

Section

Ensure that you and your environment meet the requirements for integration.

Prerequisites

Enable SAML authentication in DigiCert® Account Manager

Enable SAML authentication in DigiCert® Account Manager

In AD FS, add a relying party trust for DigiCert​​®​​

Add a relying party trust

In AD FS, add rules that match attributes in Active Directory to claims in the relying party

Add rules to a relying party trust

In AD FS, ensure that the trust uses SAML signing for both requests and assertions

Enable SAML request signing on the relying party trust

Save the AD FS metadata and upload to Account Manager (AM)

Configure SAML authentication


Prerequisites

To integrate Active Directory Federation Service (AD FS) with DigiCert​​®​​ account, you or your working environment must comply with the following requirements:

  • Your environment is a managed Windows domain.

  • AD FS is installed in the domain.

  • You have permission to configure AD FS.

Enable SAML authentication in DigiCert® Account Manager

Use single sign-on (SSO) with security assertion markup language (SAML) to connect your identity provider (IDP) with DigiCert ONE. You configure SAML authentication settings in Account Manager (AM). You will also download metadata that you need for configuring the Active Directory Federation Service.

For the detailed procedure, see Configure single sign-on with SAML.

Add a relying party trust

In the snap-in for Active Directory Federation Service (AD FS) management, you add a relying party trust to represent the trust between the Federation Service and DigiCert® ONE.

Nota

For this part of the process, you need the DigiCert​​®​​ metadata that you downloaded in Enable SAML authentication in DigiCert® Account Manager.

  1. Sign in as an administrator to the Windows server where you have installed AD FS.

    Your sign-in account must have permission to configure AD FS settings.

  2. From Server Manager, open AD FS > Tools > AD FS Management.

  3. Select Relying Party Trust > Add Relying Party Trust.

  4. In the Add Relying Party Trust wizard, select Claims aware.

  5. Select Start.

  6. To specify the data source, complete the following steps:

    1. Select Import data about the relying party from a file.

    2. For the Federation metadata file location, browse to the DigiCert​​®​​ metadata file that you previously exported.

    3. Select Next.

  7. For Specify Display Name, enter a name for the relying party, then select Next.

  8. For Choose Access Control Policy, select the policy that you want to use for the trust, then select Next.

  9. In the Ready to Add Trust page, verify the configuration settings, then select Next.

  10. Select the Configure claims issuance policy for the application checkbox.

  11. Select Close.

Add rules to a relying party trust

The integration process needs to match attributes in Active Directory to claims in the relying party, which in this case is a DigiCert​​®​​ application. To map and send the attributes, you add two rules to the relying party trust that you previously created.

  1. Open the AD FS Management console.

  2. Select Relying Party Trusts, then select the trust that you want to configure.

  3. Select Edit Claim Issuance Policy...

  4. To configure the rule for mapping LDAP attributes to claims in the relying party, select Add Rule.

  5. For the Rule Type in the Add Transform Claim Rule wizard, select Send LDAP Attributes as Claims, then select Next.

  6. To configure the rule attributes, complete the following steps:

    1. Enter a name for the rule.

    2. For Attribute store, select Active Directory.

    3. Map the LDAP attributes to outgoing claim types as indicated in the following table:

      For LDAP Attribute

      For Outgoing Claim Type

      E-Mail-Addresses

      Select E-Mail-Address

      Given-Name

      Type in firstName

      Surname

      Type in lastName

  7. (Optional) Add more LDAP attributes from your identity provider that you want to expose in the SAML response.

    For example, to include group membership for each user, map the LDAP Attribute Is-Member-of-DL to the outgoing claim type Group. This configuration would prompt the following type of SAML response:

    ...
      <AttributeStatement>
       <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
        <AttributeValue>user1@test.digicert.com</AttributeValue>
       </Attribute>
       <Attribute Name="firstName">
        <AttributeValue>Demo</AttributeValue>
       </Attribute>
       <Attribute Name="lastName">
        <AttributeValue>User1</AttributeValue>
       </Attribute>
       <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
        <AttributeValue>CN=DigiCert Test Users,CN=Users,DC=test,DC=digicert,DC=com</AttributeValue>
        <AttributeValue>CN=Remote Management Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue>
        <AttributeValue>CN=Remote Desktop Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue>
       </Attribute>
      </AttributeStatement>
    ...
  8. Select Finish.

  9. To configure the rule for sending the mapped LDAP attributes to the relying party trust, select Add Rule.

  10. For the Rule Type in the Add Transform Claim Rule wizard, select Transform an Incoming Claim, then select Next.

  11. Enter a name for the rule.

  12. For Incoming claim type, select E-Mail Address.

  13. For Outgoing claim type, select Name ID.

  14. For Outgoing Name ID format, select Email.

  15. Select Pass through all claim values.

  16. Select Finish.

Enable SAML request signing on the relying party trust

To enable signing for both SAML request and assertion, you modify the AD FS configuration. After successful authentication of a SAML request, the identity and service providers exchange assertion messages that identify the user and what the user is authorized to access.

DigiCert ONE requires that both the SAML request and assertion be signed by the identity provider.

  1. Open Powershell with an Administrator account that has permission to edit the AD FS configuration.

  2. Enter the following command:

    Set-AdfsRelyingPartyTrust -targetname "<Relying Party Name>" -SamlResponseSignature  MessageAndAssertion

    where <Relying Party Name> represents the name of the service provider.

    For example:

    Set-AdfsRelyingPartyTrust -targetname "SAML DC1 Login" -SamlResponseSignature  MessageAndAssertion

Configure SAML authentication

To give your Active Directory users a single sign-on experience with DigiCert ONE, set up authentication through security assertion markup language (SAML). As part of the process, you will configure SAML authentication settings in Account Manager (AM). You also must exchange metadata between the relying party trust in AD FS and DigiCert by downloading an xml file from each application and uploading it to the other. This section includes steps for downloading the DigiCert metadata and for uploading the AD FS metadata.

  1. Open https://<adfs_host>/FederationMetadata/2007-06/FederationMetadata.xml in a browser, and save the xml.

  2. Access the Account Manager (AM) Single sign-on with SAML page and select Upload IDP metadata.

  3. Upload the FederationMetadata.xml downloaded from AD FS and select Save.

Nota

After you complete this procedure, refer to Create a DigiCert ONE Login profile for the next steps.

Troubleshooting

If login fails during Test user creation and certificate issuance, new configurations may not have been applied on AD FS.

Open services.msc and try rebooting the service for AD FS.