configuring openam idp proxy with adfs and remote service
TRANSCRIPT
1
2
3
4 5
6 7
8
9
10
11
12 13 14
Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
IntroductionFederation Entities in OpenAM
Circle of TrustRemote Service Provider SalesforceRemote Identity Provider ADFS 20Hosted IDP Proxy
IDP SectionIDP Section continuedSP SectionSP Section Continued
Preliminary Steps Configure OpenAMStep 5 Creating the Single Sign On settings in SalesforceStep 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
Optional ADFS 20 configurationTesting
Introduction
This post will describe how OpenAM can be configured as a hosted SAML Identity Provider Proxy with Salesforce acting as Service Provider and Active
Directory Federation Services 20 as the Identity Provider Note that this use case uses Salesforce as the Service Provider Note that to a Service Provider an IdP Proxy looks like an ordinary IdP Likewise to an Identity Provider an IdP Proxy looks like an SP Thus an IdP Proxy has the combined capability of being both an IdP and SP
The following table is lifted from Like a Web (HTTP) Proxy an IdP Proxy delivers increased efficiency security and flexibilitySpaces
Web Proxy IdP Proxy
Efficiency cache web pages cache attributes
Security controlled access to web pages controlled access to federation IdPs
Flexibility HTTP requestresponse filtering SAML requestresponse filtering
Presented here is the IdP Proxy flow
A browser client requests a web resource protected by a SAML SP (Salesforce) If a security context for the principal already exists at Salesforce skip to step 14The client is redirected to the IdP component of the IdP Proxy (OpenAM-IdP ) which is protected by the SP component of the IdP Proxy (OpenAM-SP0 1)
The client makes a SAML AuthnRequest to the SSO service at OpenAM-IdP If a security context for the principal already exists at OpenAM-IdP 0 0skip to step 10The AuthnRequest is cached and the client is redirected to the terminal IdP (ADFS) ADFS presents a BA prompt for authentication by defaultThe client makes a SAML AuthnRequest to the SSO service at ADFS If a security context for the principal does not exist ADFS identifies the principalADFS updates its security context for this principal issues one or more assertions and returns a response to the clientThe client submits the response to the assertion consumer service at OpenAM-SP The assertion consumer service validates the assertions in the 1responseOpenAM-SP updates its security context for this principal and redirects the client to OpenAM-IdP 1 0The client makes a SAML AuthnRequest to OpenAM-IdP the same AuthnRequest made at step 30OpenAM-IdP updates its security context for this principal issues a single assertion and returns a response to the client The response may also 0contain the assertions issued by ADFS at step 6The client submits the response to the assertion consumer service at Salesforce The assertion consumer service validates the assertions in the responseSalesforce updates its security context for this principal and redirects the client to the resourceThe client requests the resource the same request issued at step 1The resource makes an access control decision based on the security context for this principal and returns the Salesforce landing page to the client
For starters please refer to Victors excellent post about preparing the metadata files for a similar scenario at SAMLv2 IDP Proxy Part 1
Follow steps 1-4 in that post to prepare your metadata
Federation Entities in OpenAM
In this section we will survey the entities you have imported in OpenAM so far
Circle of Trust
Remote Service Provider Salesforce
Your settings should be very similar to those presented here
Signing and encryption can be turned off if not needed
This screen shows a critical settings related to the IDP Proxy Ensure your ADFS 20 Entity ID is correctly defined in the list
Remote Identity Provider ADFS 20
Hosted IDP Proxy
IDP Section
Set ldquotestrdquo as the signer certificate in the IDP section of the Hosted IDPSP proxy entity
IDP Section continued
SP Section
The first page
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
Remote Service Provider Salesforce
Your settings should be very similar to those presented here
Signing and encryption can be turned off if not needed
This screen shows a critical settings related to the IDP Proxy Ensure your ADFS 20 Entity ID is correctly defined in the list
Remote Identity Provider ADFS 20
Hosted IDP Proxy
IDP Section
Set ldquotestrdquo as the signer certificate in the IDP section of the Hosted IDPSP proxy entity
IDP Section continued
SP Section
The first page
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
This screen shows a critical settings related to the IDP Proxy Ensure your ADFS 20 Entity ID is correctly defined in the list
Remote Identity Provider ADFS 20
Hosted IDP Proxy
IDP Section
Set ldquotestrdquo as the signer certificate in the IDP section of the Hosted IDPSP proxy entity
IDP Section continued
SP Section
The first page
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
Remote Identity Provider ADFS 20
Hosted IDP Proxy
IDP Section
Set ldquotestrdquo as the signer certificate in the IDP section of the Hosted IDPSP proxy entity
IDP Section continued
SP Section
The first page
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
Hosted IDP Proxy
IDP Section
Set ldquotestrdquo as the signer certificate in the IDP section of the Hosted IDPSP proxy entity
IDP Section continued
SP Section
The first page
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
IDP Section continued
SP Section
The first page
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
SP Section
The first page
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
Assertion processing screen
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS
SP Section Continued
Add the Entity ID for Salesforce here
Preliminary Steps Configure OpenAM
1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts
2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm
Step 5 Creating the Single Sign On settings in Salesforce
In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20
On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust
Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish
Select the newly created relying party and ensure the settings match the screenshots presented here
For example change the default SAML ACE from Artifact to POST
Also change the secure hash algorithm to SHA-1 as shown here
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration
Create a custom claim rule using the following script
c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws
] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties
] = ltentity-id of your IDP proxygt)spnamequalifier
You should see two rules now
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
1
2
3
4
5
a
b
Click ok to finish editing claim rules
Optional ADFS 20 configuration
You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary
Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS
Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None
Testing
Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt
Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-
- Configuring OpenAM IDP Proxy with ADFS and remote Service Provider
-