This article outlines the process of configuring your AD FS services on your Windows server to add the necessary trusts and claims for Contensis to integrate with your organisations single sign-on service.
Add the relying party trusts
Open the AD FS Management console, click Add Relying Party Trust in the Actions pane and press Start on the wizard introduction page.
Select Enter data about the relying party manually.
Enter a Display name, e.g. Contensis and press Next.
Select AD FS Profile.
Skip the Configure Certificate step by pressing Next (it’s not supported by Contensis).
Select Enable support for the WS-Federation Passive protocol and enter your CMS address with the addition of /authenticate/ on the end and press Next.
e.g. https://cms-customername.cloud.contensis.com/authenticate/
Please make sure you have the trailing end slash as without it the AD FS integration will not work
Note: Contensis must be available on https, non-https will not work.
Double check the CMS address is correct in the Relying party trust identifiers and then click Next.
Leave the default option of I do not want to configure multi-factor authentication settings for this relying party trust at this time selected.If you wish to configure multi-factor authentication select the second option. Multi-factor authentication is outside the scope of this article.
Select Permit all users to access this relying party and press Next if you want to allow all active directory users to login to Contensis. Alternatively select Deny all users access this relying party if you want to allow specific users later.
You don’t need to change anything in the Ready to Add Trust step. Press Next.
Select the Open the Edit Claim rules dialog for this relying party trust when the wizard closes checkbox and press Close.
Configure claim rules
The Edit Claim Rules window should open automatically after adding the relying party trust. Press Add Rule… to create a new rule.
Select Send LDAP Attributes as Claims from the Claim rule template list.
Enter a Claim rule name e.g. Contensis claims
Select Active Directory as the Attribute store
As a minimum map the following LDAP attributes outlined in the table and press Next.
LDAP attribute
Outgoing claim type
User-Principal-Name
UPN
E-Mail-Addresses
E-Mail Address
SAM-Account-Name
Name
SAM-Account-Name
Name ID
If you want to populate the user’s first name and surname, you can also map the following LDAP attributes.
LDAP attribute
Outgoing claim type
Given-Name
Given Name
Surname
Surname
You can also configure Contensis to automatically create groups which users are members of when the user first logs in. To enable this you need to map the following LDAP attribute.
LDAP attribute
Outgoing claim type
Is-Member-Of-DL
Group
You’ll now see the claim listed. Press Add Rule… to add another claim