Skip to main content
OpenEye Knowledge Base

ADFS Integration Instructions

Enable ADFS Integration
Add Identity Management Integration

As a web services Administrator,

  1. From the Channel Partner Portal, go to Management > Integrations.
  2. Click Add New Integration.
  3. Select ADFS from the list of options and click Next.
  4. Ensure Enable ADFS integration is checked.
  5. Select the Identity Management tab.
  6. Check Enable Third Party Authentication.

CP Management Identity Management ADFS.png

Enable ADFS

Go to Integrations in the End User Portal.

  1. Select ADFS and then click Next.

ADFS Add New Integration Popup.png

  1. The ADFS Integration will be added to the Manage Integrations list.

ADFS Manage Integrations.png

  1. To make changes to the Integration, click Edit Button.png from Manage Integration.

ADFS General Settings Enable ADFS integration.png

NOTE: You’ll be alternating between OWS and ADFS in order to perform this integration.

Configure ADFS for OWS Access (ADFS)
  1. Download the ADFS 2.0 metadata from the ADFS server at https://<ADFS_HOST>/FederationMetadata/2007-06/FederationMetadata.xml
  2. Copy the text from that XML file into the Identity Provider Metadata field and click Save.
  3. Copy the Audience URI (SP Entity ID). You’ll need this later on the ADFS server.

NOTE: The following steps are shown in Windows Server 2016.

  1. In the ADFS Management console on the ADFS server, go to Relying Party Trusts and click on Add Relying Party Trust.
  2. Choose Claims aware and click Start.

ADFS Add Relying Party Trust Wizard.png

  1. Check Import data about the relying part published online or on a local network.
  2. Paste in the Audience URI (SP Entity ID) acquired earlier in OWS into the Federation metadata address (host name or URL): field and click Next.

ADFS Select Data Source.png

  1. Choose a display name in the Display name field. This identifies the relying party when someone logs in.

ADFS Specify Display Name.png

 

  1. Click Next.
  2. Choose an Access Control Policy (e.g. "Permit everyone") and click Next.
  3. On the Review Settings page, click Next.
  4. Leave Configure claims issuance policy for this application checked and click Close.
  5. In the Edit Claim Issuance Policy UI that pops up click Add Rule.
  6. Select Send LDAP Attributes as Claims and click Next.

ADFS Select Rule Template.png

  1. Choose a Claim rule name: to put in that field. (e.g. “NameID Rule”)
  2. Choose Activity Directory for the Attribute store: drop down list.
  3. Choose E-Mail-Addresses for the LDAP Attribute in the list.
  4. Choose Name ID for the Outgoing Claim Type in the list. Users’ email addresses will be mapped to OWS email addresses for the purposes of login for this account.

ADFS Configure Rule.png

  1. Now click Finish.
  2. Click Ok.

You should be able to login with any provisioned or existing user whose OWS username (as an email address) matches the email address for the user in AD when logging into that account.


Example for login from the ADFS server: https://adfs.example.com/adfs/ls/idpinitiatedsignon

Add Users Manually

Users may now be configured to access your OWS application via ADFS in one of two ways:

  1. Manual invite via OWS.
  2. Just-In-Time Provisioning (JITP).
Manual Invite Via OWS

Users may be manually added to WS via the standard WS user invite function, including manually adding them to User Groups. The primary advantage of this approach is that users invited in this fashion may choose to login either via WS credentials or the IDP credentials. This approach is ideal for Administrators who need a non-IDP method to login just in case there is an IDP issue. The downside of this approach is that user management is not simplified into a single place, and that users may login both ways if configured to do so.

Automatic Provisioning Via Just-in-Time Provisioning (JITP)

Provisioning may also be performed via JITP through claims made in the SAML that is presented to OWS.

Enable ADFS Integration

Follow these instructions to Enable an Identity Management Integration.

Using Just-in-Time Provisioning (JITP)

Follow these instructions to Enable Just-in-Time Provisioning (JITP).

  • Was this article helpful?