Skip to main content

Set up an AD FS server and configure SSO

Section 1: Install IIS Web Server

NOTE: If IIS is already installed on your Windows Server, skip to Section 2.

  1. Open the Server Manager application on Windows Server.

  2. In Server Manager, go to Manage, and then click Add Roles and Features.

    ADFSSetupGuideSection1Step1.png

    The Add Roles And Features wizard opens.

  3. Click Next.

  4. Select  Role-based or feature-based installation and then click Next.

    ADFSSetupStep4.png
  5. Click Select a server from the server pool and then select the server on which to install IIS Web Server. Click Next.

    ADFSSetupGuideSection1Step5.png
  6. Select Web Server (IIS) from Server Roles and then click Next.

    ADFSSetupGuideSection1Step6.png
  7. In the Add Roles and Features Wizard, select Install management tools (if applicable) and then click Add features.

  8. Select Web Server (IIS) and click Next.

  9. On the Select Features page, select .NET Framework 3.5 Features and then click Next.

    ADFSSetupGuideSection1Step9.png
  10. On next page, click Next.

  11. On next page (Select Role Services), keep the defaults and click Next.

  12. Select Restart the destination server automatically if required.

  13. Click Install.

  14. Close the window when the installation is complete.

Section 2: Install Active Directory Domain Services (AD DS)

NOTE: If AD DS is already installed on the Windows Server, skip to Section 3.

  1. Open the Server Manager application on Windows Server.

  2. In Server Manager, go to Manage, and then click Add Roles and Features.

    ADFSSetupGuideSection1Step1.png

    The Add Roles And Features wizard opens.

  3. Click Next.

  4. Select  Role-based or feature-based installation and then click Next.

    ADFSSetupStep4.png
  5. Click Select a server from the server pool and then select the server on which to install IIS Web Server. Click Next.

    ADFSSetupGuideSection1Step5.png
  6. On the Select Server Roles page, select Active Directory Domain Services and then click Next.

    ADFSSetupGuideSection2Step6.png
  7. In the Add Roles and Features Wizard, select Include Management tools (if applicable) and then click Add Features.

    ADFSSetupGuideSection2Step7.png
  8. Select AD DS and then click Next.

  9. On the Select Features page, select .NET Framework 3.5 Features and then click Next.

  10. On next page, click Next.

  11. On last page, select Restart the destination server automatically if required.

  12. Click Install.

  13. Click Close when the installation is complete.

  14. In the Notifications section of the Server Manager page, in the Post Deployment Configuration... notification, click Promote this server to a domain controller.

    ADFSSetupGuideSection2Step14.png

    The Deployment Configuration page opens.

  15. In the Windows Security pop-up panel, enter the Username and Password of the local machine and then click OK.

    ADFSSetupGuideSection2Step15.png
  16. On the Deployment Configuration page, select Add a new forest, provide the Root domain name (example: tenfold.local), and then click Next.

    ADFSSetupGuideSection2Step16.png

    The Domain Controller Options page opens.

  17. Provide and confirm the password for Directory Service Restore mode (DSRM), and make sure the configuration is same as shown below:

    ADFSSetupGuideSection2Step17.png
  18. On the DNS Options page, click Next.

    ADFSSetupGuideSection2Step18.png
  19. On the Additional Options page, enter the NetBIOS domain name in the field provided and then click Next.

    ADFSSetupGuideSection2Step19.png
  20. On the Paths page, provide the required paths as shown below, and then click Next.

    ADFSSetupGuideSection2Step20.png
  21. Review all the options on the Review Options page and then click Next.

  22. On the Prerequisites Check page, validate the prerequisites and then click Install.

    ADFSSetupGuideSection2Step22.png
  23. The Installation page shows the installation progress. Click Close when the installation is complete.

Section 3: Install Active Directory Federation Services (AD FS)

  1. Open the Server Manager application on Windows Server.

  2. In Server Manager, go to Manage, and then click Add Roles and Features.

    ADFSSetupGuideSection1Step1.png

    The Add Roles And Features wizard opens.

  3. Click Next.

  4. Select  Role-based or feature-based installation and then click Next.

    ADFSSetupStep4.png
  5. Click Select a server from the server pool and then select the server on which to install IIS Web Server. Click Next.

    ADFSSetupGuideSection1Step5.png
  6. On the Select server roles page, select Active Directory Federation Services and then click Next.

    ADFSSetupGuideSection3Step6.png
  7. Click Features and select .NET Framework 3.5 Features, then click Next.

    ADFSSetupGuideSection3Step7.png
  8. On the next page, click Next.

  9. On the Confirmation page, select Restart the destination server automatically if required, click Yes to confirm, and then click Install.

    ADFSSetupGuideSection3Step9.png
  10. Click Close when the installation is complete.

  11. Go to Server Manager and navigate to Tools > Internet Information Services (IIS) Manager.

    NOTE: You will see a notification Post-Deployment Configuration for AD FS. Ignore this notification for now. You must first create a SSL Certificate first to use with AD FS Server.

    ADFSSetupGuideSection3Step11.png
  12. From the Home page of IIS Manager, click Server Certificates.

    ADFSSetupGuideSection3Step12.png
  13. In the Actions pane, click Create Self-Signed Certificate.

    ADFSSetupGuideSection3Step13.png
  14. On the Create Self-Signed Certificate tab, enter a user-friendly name in the Specify a friendly name for the certificate field, then select Personal. Click OK.

    ADFSSetupGuideSection3Step14.png

    The SSL Certificate is now created.

  15. Go back to Server Manager. In the notification for Post-Deployment Configuration for AD FS, click Configure the federation service on this server.

    ADFSSetupGuideSection3Step15.png

    The Active Directory Federation Services Configuration Wizard opens.

  16. Select Create the first federation server in a federation server farm and then click Next.

    ADFSSetupGuideSection3Step16.png
  17. On the Connect to AD DS page, select the account to perform the Federation Service configuration, and then click Next.

    ADFSSetupGuideSection3Step17.png
  18. On the Specify Service Properties page, select the SSL Certificate, Federation Service Name, and  Federation Service Display Name. (Example for Federation Service Display Name: Tenfold AD FS Server)

    ADFSSetupGuideSection3Step18.png
  19. On the Specify Service Account page, select the Use an existing domain user account or group Managed Service Account option and click OK.

    ADFSSetupGuideSection3Step19.png
  20. Enter the Account Password and click Next.

    ADFSSetupGuideSection3Step20.png
  21. On the Specify Database page, select Create a database on this server using Windows Internal Database and then click Next.

  22. On next page (Review Options), review all the options and click Next.

  23. On next page (Prerequisite check), validate the prerequisites and then click Configure.

    ADFSSetupGuideSection3Step23.png
  24. The next page shows the installation progress. Click Close when the installation is complete.

Section 4: Add relying party (Tenfold) to AD FS

  1. Using the Windows server browser, go to https://dashboard.tenfold.com/features and click the link for the Single Sign-On feature. Click Download Tenfold Metadata.

    The Tenfold Metadata.xml downloads.

    ADFSSetupGuideSection4Step1.png
  2. In Windows Server Manager, navigate to Tools > AD FS Management.

    ADFSSetupGuideSection4Step2.png
  3. The AD FS panel opens. In the Actions pane, click Add Relying Party Trust.

    ADFSSetupGuideSection4Step3.png
  4. On the Welcome page of the Add Relying Party Trust Wizard, select the Claims Aware option and then click Start.

    ADFSSetupGuideSection4Step4.png
  5. On the Select Data Source page, select Import data about the relying party from the file, and browse to the location of the xml file downloaded in Step 1.

    ADFSSetupGuideSection4Step5.png
  6. On the Specify Display Name page, enter the Display name and click Next.

    ADFSSetupGuideSection4Step6.png
  7. On the Multi-factor Authentication page, select I do not want to configure multi-factor authentication settings for this relying party trust at this time and then click Next.

    ADFSSetupGuideSection4Step7.png
  8. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party and then click Next.

    ADFSSetupGuideSection4Step8.png
  9. On the Ready to Add Trust page, click Next.

  10. On the Finish page, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and then click Close.

    ADFSSetupGuideSection4Step10.png

    The Edit Claims Rules for Tenfold page opens.

  11. Click Add Rule.

    ADFSSetupGuideSection4Step11.png

    The Add Transform Claim Rule Wizard opens.

  12. On the Select Rule Template page, select Send LDAP Attributes as Claims and click Next.

    ADFSSetupGuideSection4Step12.png
  13. On the Configure Rule page, enter the Claim rule name, select Active Directory as the Attribute Store, and add mappings similar to the image shown below. Click OK.

    ADFSSetupGuideSection4Step13.png
  14. Click Add Rule.

    ADFSSetupGuideSection4Step14.png

    The Add Transform Claim Rule Wizard opens.

  15. On Select Rule Template page, select Transform an Incoming Claim and click Next.

    ADFSSetupGuideSection4Step15.png

    The Configure Rule page opens.

  16. Configure the options as shown below and then click Finish.

    ADFSSetupGuideSection4Step16.png
  17. On the page that loads, click Apply and then OK.

    Note

    Because the user's email address is used for the Name ID, make sure the user has this attribute.

    This completes the AD FS configuration.

Section 5: Configure Tenfold SSO

  1. Download the AD FS metadata using this URL:

    https://<adfs_server_domain_name>/FederationMetadata/2007-06/FederationMetadata.xml

  2. Complete the information in the Single Sign-On feature.

    NOTE: In most scenarios that do not use AD FS, Single Sign-On works by simply uploading this metadata to the Tenfold Single Sign-On settings. However, Tenfold is not able to parse the metadata correctly, so it is necessary to extract the following three parameters from the metadata and manually add them: Identity Provider Entity ID, Identity Provider entry endpoint, Identity provider public certificate.

    ADFSSetupGuideSection5Step2.png

    Identity Provider Entity ID

    • The entityID attribute of EntityDescriptor element.

    • In the example below, this value is http://EC2AMAZ-50VH26R.adfs.local/adfs/services/trust

      <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
      ID="_b207a111-f512-4fb1-b97f-155ba7849742" 
      entityID="http://EC2AMAZ-5OVH26R.adfs.local/adfs/services/trust">

    Identity Provider entry endpoint

    • The Location attribute of SingleSignOnService with HTTP-Redirect binding element.

    • In the example below, this value is https://ec2amaz-5ovh26r.adfs.local/adfs/ls

      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
      Location="https://ec2amaz-5ovh26r.adfs.local/adfs/ls/" />

    Identity provider public certificate

    • The signing certificate inside the IDPSSODescriptor element.