Link your Identity Provider - AD FS

Learn how to integrate your company's Active Directory Federation Services implementation for federated login access into Stax.

Article Tags

On This Page

Before You Begin Create the Relying Party Trust in AD FS Configure Stax to allow AD FS Sign-In How Do You Know This Worked?See also

Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Active Directory Federation Services (AD FS) is Microsoft's SAML identity provider (IdP) that is available with Windows Server from Windows Server 2003 onwards.

This guidance assumes your AWS accounts are Stax-managed. If you only have the Cost & Compliance module, review this article instead.

Before You Begin

Estimated time to complete: 1 hour
Ensure you are a member of the Admin role in your Stax tenancy
You need permissions to administer the AD FS environment
While Stax should work with AD FS all the way back to Windows Server 2003, we support running AD FS on Windows Server 2016 and newer

Create the Relying Party Trust in AD FS

Prepare the SAML URIs

First, you'll need to determine some URIs. If you're not sure how to get these, simply raise a case in the Stax Console and we'll help you out.

Your <customer-alias> is the same as you enter at the Stax Console login page shown here. Below, it is mega-corp.

Your <installation-id> can be found by reviewing the URL of the login page after you enter your customer alias, as shown here. It's between your customer alias and staxapp.cloud in the URL. Below, it is au1.

Once you've determined your <customer-alias> and <installation-id>, you can form the URIs required for SAML setup:

URI	Format	Example
Entity ID	https://id.security.<customer-alias>.<installation-id>.staxapp.cloud/auth/realms/master	https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
SAML 2.0 Service URL	<entity-id>/broker/adfs/endpoint	https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/adfs/endpoint

Prepare the Active Directory Domain Services (AD) Groups

Stax has four roles; admin, Cost & Compliance admin, user, and readonly. You can use AD FS to specify these roles at login time. For this purpose, you'll need to create and populate four AD groups.

In the examples below, we'll use the following four group names:

Stax Admins
Stax Cost & Compliance Admins
Stax Users
Stax Read Only Users

See Stax Roles - Stax Permissions for more information on Stax roles.

Configure AD FS

Once you've prepared the URIs and AD Groups, you can configure AD FS.

Connect via Remote Desktop to the Windows Server holding the AD FS "Primary Computer" role. If you're unsure which computer this is, run Windows PowerShell as an administrator and issue the following command:
```
Get-AdfsFarmInformation |
Select-Object -ExpandProperty FarmNodes |
Where-Object { $_.NodeType -eq "PrimaryComputer" } |
Select-Object FQDN
```
From the Start menu, open Windows Administrative Tools, then double-click on AD FS Management to open the AD FS console
Within the AD FS console's navigation pane, navigate to AD FS then Relying Party Trusts. In the Actions pane, choose Add Relying Party Trust... to open the Add Relying Party Trust Wizard
Depending on your version of AD FS, you may be prompted to choose whether the application is Claims aware or Non claims aware. Ensure Claims aware is selected and click Start
On the Select Data Source page, choose Enter data about the relying party manually and click Next
On the Specify Display Name page, enter a Display Name for the application that fits your corporate convention. Each Display Name must be unique within your AD FS farm. Enter a description if appropriate and click Next
On the Configure Certificate page, leave the token encryption certificate blank and click Next
On the Configure URL page, check the Enable support for the SAML 2.0 WebSSO protocol box and enter the SAML 2.0 Service URL you determined earlier in the URL text box. Click
Next
On the Configure Identifiers page, add the Entity ID you determined earlier.
Enter this value into the Relying party trust identifier field. Choose Add and then Next
On the Choose Access Control Policy page, choose the appropriate access control policy and any relevant parameters. In the example below, access is restricted so that only members of the Stax Admins, Stax Read Only Users, and Stax Users Active Directory groups can log into Stax. Click Next
On the Ready to Add Trust page, review your settings then click Next. Leave Configure claims issuance policy for this application selected on the Finish page, and click Close. This will add the Relying Party Trust and open the Edit Claim Issuance Policy dialog

On the Edit Claim Issuance Policy dialog, click Add Rule... and add the following claim rules:

	Parameter	Value
1.	Send AD properties as claims
	Claim rule template	Send LDAP Attributes as Claims
	Claim rule name	Send AD Attributes as Claims
	Attribute Store	Active Directory
	Attribute mapping:
	LDAP Attribute	Outgoing Claim Type
	E-Mail-Addresses	email
	Given-Name	firstName
	Surname	lastName
	E-Mail-Addresses	persistentId
2.	Send Stax Admins group membership as a claim
	Claim rule template	Send Group Membership as a Claim
	Claim rule name	Send Stax Role - Admin as Claim
	User's group	CORP\Stax Admins (Your 'Stax Admins' AD Group)
	Outgoing claim type	Role
	Outgoing claim value	customer_admin
3.	Send Stax Cost & Compliance Admins group membership as a claim
	Claim rule template	Send Group Membership as a Claim
	Claim rule name	Send Stax Role - Cost Admin as Claim
	User's group	CORP\Stax Cost & Compliance Admins (Your 'Stax Admins' AD Group)
	Outgoing claim type	Role
	Outgoing claim value	customer_costadmin
4.	Send Stax Users group membership as a claim
	Claim rule template	Send Group Membership as a Claim
	Claim rule name	Send Stax Role - User as Claim
	User's group	CORP\Stax Users (Your 'Stax Users' AD Group)
	Outgoing claim type	Role
	Outgoing claim value	customer_user
5.	Send Stax Read Only Users group membership as a claim
	Claim rule template	Send Group Membership as a Claim
	Claim rule name	Send Stax Role - Read Only as Claim
	User's group	CORP\Stax Read Only Users (Your 'Stax Read Only Users' AD Group)
	Outgoing claim type	Role
	Outgoing claim value	customer_readonly
6.	Send Persistent Name Identifier as a Claim
	Claim rule template	Transform an Incoming Claim
	Claim rule name	Send Persistent Name Identifier
	Incoming claim type	persistentId
	Outgoing claim type	Name ID
	Outgoing name ID format	Persistent Identifier

When you're ready to have Stax configured, you simply need to supply us with your AD FS metadata, and we'll do the rest for you.

If you're not sure where to find your metadata file, open Windows PowerShell as an administrator on your primary AD FS server and run the following command:

Get-AdfsEndpoint |
Where-Object { $_.Protocol -eq "Federation Metadata " } |
Select-Object FullUrl

Once we've configured SAML on your Stax tenancy, we'll be in touch to let you know that it's ready to be tested.

How Do You Know This Worked?

Next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your AD FS sign-in page. Log in on the AD FS page and you'll be signed into your Stax tenancy.