4.1. Config steps at the Active Directory side

The “Active Directory Federation Service” exposing some kind of endpoint named “Relying Party” to communicate with DNN website. Data transmited by the ADFS is sent in form of packages called “Claims”. We show how to configure list of necessary claims that holds for example AD user profile. For information how to install AD FS service in your Active Directory system we refer to official Microsoft docs, for example here.

4.1.1. Configure Relaying Party

In this step we will create “Relying Party”. Each DNN website requires separate “Relying Party”. To add “Relying Party” execute following steps:

  1. Open the AD FS Management console and select “Relying Party Trust”, then select “Add Relying Party Trust…”, see figure below.

    _images/base-configuration-relaying-party_01.png
  2. Select last option “Enter data manually..” to manually configure new “Relying Party Trust”, see figure below.

    _images/base-configuration-relaying-party_02.png
  3. Specify display name.

    _images/base-configuration-relaying-party_03.png
  4. Select AD FS profile.

    _images/base-configuration-relaying-party_04.png
  5. Do not configure additional certificate for now, just click next.

    _images/base-configuration-relaying-party_05.png
  6. Enter WS-Federation endpoint address. It’s your DNN website url. Note: The trailing slash (/) is important.

    _images/base-configuration-relaying-party_06.png
  7. Add Relying Party identifier. It’s your DNN website url, usually with the “/” at the end.

    _images/base-configuration-relaying-party_07.png
  8. Do not configure Multi-factor authentication for now.

    _images/base-configuration-relaying-party_08.png
  9. Allow all users to login.

    _images/base-configuration-relaying-party_09.png
  10. Do not change anything here, just click next.

    _images/base-configuration-relaying-party_10.png
  11. Close the “Relying Party” wizard

    _images/base-configuration-relaying-party_11.png

The “Relying Party” is created. Now it’s time to define list of claims that will be send to DNN. Claim configuration is described in chapter below.

4.1.2. Create Claim Rules

The AD FS is using claims as a container to send Active Directory user profile fields to DNN. In following chapter we will define set of rules that defines which Active Directory user attributes needs to be send to DNN. The “ADFS-Pro Authentication” requires following claims: “Name Identifier”, “UPN”, profile claims. To configure claim that will be send from Active Directory to DNN follow steps below:

  1. Select the “Relying Party” that is connected with DNN website, more info in section above.

  2. Click on the “Edit claim rules” button.

    _images/base-configuration-claims_01.png
  3. Select claim rule template “Send claims using custom rule”.

    _images/base-configuration-claims_02.png

4.1.3. Configure Identity Claim

The identity claim defines how the username will look like. The “ADFS-Pro Authentication” allows variety of username formats (the default one is DomainName\Username). Therefore Identity Claim issued by the AD FS depends on username format specified on DNN side.

For username format DomainName\Username or to Cross Portal User with Domain, specify following rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value =~ "^.*(\\).*$"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value = c.Value);

See figure below for reference

_images/base-configuration-claims_03.png

If DNN username will be saved in format Username or Cross Portal User (that format doesn’t have the domain prefix) the ADFS identity claim rule will be as follow:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value =~ "^.*(\\).*$"]
=> issue(Type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value=RegexReplace(c.Value, ".*\\", ""));

4.1.4. Configure Unique Claim

Add following rule to issue UPN claim:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=>issue(
    store = "Active Directory",
    types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"),
    query = ";userPrincipalName;{0}", param = c.Value);

See figure below for reference

_images/base-configuration-claims_04.png

4.1.5. Configure profile claims

Add following rule to send AD user profile to DNN:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = (
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Username",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/FirstName",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/MiddleName",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/LastName",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Displayname",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/PostalAddress",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Street",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Title",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Telephone",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Cell",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Fax",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Email",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/City",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Region",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Biography",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/PostalCode",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Office",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Department",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Company",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Website",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ipPhone",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Pager"),

    query =
    ";sAMAccountName,givenName,initials,sn,displayname,PostalAddress,StreetAddress,title,telephonenumber,Mobile,FacsimileTelephoneNumber,mail,l,st,description,postalCode,physicalDeliveryOfficeName,department,company,wwwhomepage,ipPhone,pager;{0}",
    param = c.Value);

See figure below for reference

_images/base-configuration-claims_05.png

4.1.6. Configure group claims

Below is rule that will issue AD groups that belongs to a user:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(
    store = "Active Directory",
    types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
    query = ";tokenGroups;{0}",
    param = c.Value);

See figure below for reference

_images/base-configuration-claims_06.png

Rule that will issue all AD groups that starts from string “Domain”, for example group Domain Users:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)Domain"]
=> issue(claim = c);

See figure below for reference

_images/base-configuration-claims_07.png

4.1.7. Custom login page

The AD FS login page can be customized and tailored the end-user experience to meet their corporate needs. Example of custom login page is on figure below.

_images/base-configuration-login-page_01.png

Check out below links for more info.