Docs

Link your Identity Provider - AD FS

Learn how to integrate your company's Active Directory Federation Services implementation for federated login access into Stax

Article Tags
User managementStax accessGuide
On This Page
Before You BeginCreate the Relying Party Trust in AD FSConfigure Stax to allow AD FS Sign-InHow Do You Know This Worked?See also

Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Active Directory Federation Services (AD FS) is Microsoft's SAML identity provider (IdP) that is available with Windows Server from Windows Server 2003 onwards.

This guidance assumes you're subscribed to the Stax platform. If you only have the Cost & Compliance module, review this article instead.

Before You Begin

  • Estimated time to complete: 1 hour
  • You need to be a member of the Admin role in your Stax tenancy to complete this task
  • You need permissions to administer the AD FS environment
  • While Stax should work with AD FS all the way back to Windows Server 2003, we support running AD FS on Windows Server 2016 and newer

Create the Relying Party Trust in AD FS

Prepare the SAML URIs

First, you'll need to determine some URIs. If you're not sure how to get these, simply raise a case in the Stax Console and we'll help you out.

Your <customer-alias> is the same as you enter at the Stax Console login page shown here. Below, it is mega-corp.

Customer Alias

Your <installation-id> can be found by reviewing the URL of the login page after you enter your customer alias, as shown here. It's between your customer alias and staxapp.cloud in the URL. Below, it is au1.

Installation ID

Once you've determined your <customer-alias> and <installation-id>, you can form the URIs required for SAML setup:

URIFormatExample
Entity IDhttps://id.security.<customer-alias>.<installation-id>.staxapp.cloud/auth/realms/masterhttps://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
SAML 2.0 Service URL<entity-id>/broker/adfs/endpointhttps://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/adfs/endpoint

Prepare the Active Directory Domain Services (AD) Groups

Stax has three roles; admin, user, and readonly. You can use AD FS to specify these roles at login time. For this purpose, you'll need to create and populate three AD groups.

In the examples below, we'll use the following three group names:

  • Stax Admins
  • Stax Users
  • Stax Read Only Users

See Stax Roles - Stax Permissions for more information on Stax roles.

Configure AD FS

Once you've prepared the URIs and AD Groups, you can configure AD FS.

  1. Connect via Remote Desktop to the Windows Server holding the AD FS "Primary Computer" role. If you're unsure which computer this is, run Windows PowerShell as an administrator and issue the following command:

    Get-AdfsFarmInformation |
Select-Object -ExpandProperty FarmNodes |
Where-Object { $_.NodeType -eq "PrimaryComputer" } |
Select-Object FQDN

  2. From the Start menu, open Windows Administrative Tools, then double-click on AD FS Management to open the AD FS console

  3. Within the AD FS console's navigation pane, navigate to AD FS then Relying Party Trusts. In the Actions pane, choose Add Relying Party Trust... to open the Add Relying Party Trust Wizard

    AD FS Console

  4. Depending on your version of AD FS, you may be prompted to choose whether the application is Claims aware or Non claims aware. Ensure Claims aware is selected and click Start

    Add Relying Party Trust Wizard 1

  5. On the Select Data Source page, choose Enter data about the relying party manually and click Next

    Select Data Source

  6. On the Specify Display Name page, enter a Display Name for the application that fits your corporate convention. Each Display Name must be unique within your AD FS farm. Enter a description if appropriate and click Next

    Specify Display Name

  7. On the Configure Certificate page, leave the token encryption certificate blank and click Next

    Configure Certificate

  8. On the Configure URL page, check the Enable support for the SAML 2.0 WebSSO protocol box and enter the SAML 2.0 Service URL you determined earlier in the URL text box. Click
    Next

    Configure URL

  9. On the Configure Identifiers page, add the Entity ID you determined earlier.

    Enter this value into the Relying party trust identifier field. Choose Add and then Next

    Configure Identifiers

  10. On the Choose Access Control Policy page, choose the appropriate access control policy and any relevant parameters. In the example below, access is restricted so that only members of the Stax Admins, Stax Read Only Users, and Stax Users Active Directory groups can log into Stax. Click Next

    Choose an Access Control Policy

  11. On the Ready to Add Trust page, review your settings then click Next. Leave Configure claims issuance policy for this application selected on the Finish page, and click Close. This will add the Relying Party Trust and open the Edit Claim Issuance Policy dialog

    Edit Claim Issuance Policy

  12. On the Edit Claim Issuance Policy dialog, click Add Rule... and add the following claim rules:

     ParameterValue
    1.Send AD properties as claims
    Claim rule templateSend LDAP Attributes as Claims
    Claim rule nameSend AD Attributes as Claims
    Attribute StoreActive Directory
    Attribute mapping:
      LDAP AttributeOutgoing Claim Type
      E-Mail-Addressesemail
      Given-NamefirstName
      SurnamelastName
      E-Mail-AddressespersistentId
    2.Send Stax Admins group membership as a claim
    Claim rule templateSend Group Membership as a Claim
    Claim rule nameSend Stax Role - Admin as Claim
    User's groupCORP\Stax Admins (Your 'Stax Admins' AD Group)
    Outgoing claim typeJumaRole
    Outgoing claim valuecustomer_admin
    3.Send Stax Users group membership as a claim
    Claim rule templateSend Group Membership as a Claim
    Claim rule nameSend Stax Role - User as Claim
    User's groupCORP\Stax Users (Your 'Stax Users' AD Group)
    Outgoing claim typeJumaRole
    Outgoing claim valuecustomer_user
    4.Send Stax Read Only Users group membership as a claim
    Claim rule templateSend Group Membership as a Claim
    Claim rule nameSend Stax Role - Read Only as Claim
    User's groupCORP\Stax Read Only Users (Your 'Stax Read Only Users' AD Group)
    Outgoing claim typeJumaRole
    Outgoing claim valuecustomer_readonly
    5.Send Persistent Name Identifier as a Claim
    Claim rule templateTransform an Incoming Claim
    Claim rule nameSend Persistent Name Identifier
    Incoming claim typepersistentId
    Outgoing claim typeName ID
    Outgoing name ID formatPersistent Identifier

Configure Stax to allow AD FS Sign-In

When you're ready to have Stax configured, you simply need to supply us with your AD FS metadata, and we'll do the rest for you.

If you're not sure where to find your metadata file, open Windows PowerShell as an administrator on your primary AD FS server and run the following command:

Get-AdfsEndpoint |
Where-Object { $_.Protocol -eq "Federation Metadata " } |
Select-Object FullUrl

Once we've configured SAML on your Stax tenancy, we'll be in touch to let you know that it's ready to be tested.

How Do You Know This Worked?

Next time you navigate to your Stax Console login page, on the right hand side, you'll see a new Corporate ID button. Clicking this button will take you to your AD FS sign-in page. Log in on the AD FS page and you'll be signed into your Stax tenancy.

Choose Your Login Provider

See also