Application Security Platform
SSO

Microsoft Active Directory Federation Services Integration with SAML

This document is for:
Invicti Platform

ADFS is a software solution developed by Microsoft that can run as a component on Windows Server operating systems. It provides SSO to applications that cross organization boundaries by the secure sharing of entitlement rights and digital identity. AD FS can be configured to authenticate users stored in an LDAP directory (for more information, refer to the Microsoft documentation: Configure AD FS to authenticate users stored in LDAP directories).

These instructions were prepared using Windows Server 2022.

This document explains how to configure Active Directory Federation Services (ADFS) and Invicti Platform for Single Sign-On.

How to configure Microsoft AD FS with SAML

There are two parts to this procedure:

Step 1: Add a Relying Party Trust

  1. Open Microsoft Active Directory Federation Services Management.
  2. From the ADFS node, select Relying Party Trusts.
  3. In the Actions panel, select Add Relying Party Trust.

  1. In the Welcome step, click Start.

  1. Select Enter data about the relying party manually, and click Next.

  1. In the Display Name field, enter a display name, then click Next. The Configure Certificate step is displayed.
  2. Accept the defaults by selecting Next. The Configure URL step is displayed.

  1. Select Enable support for the SAML 2.0 WebSSO protocol.

  1. Log in to Invicti Platform and from the menu, select Settings > Security & Access Control > SSO.
  2. Turn on the Enable SSO toggle.
  3. Select ADFS from the SSO Provider dropdown list.

  1. Copy the URL from the SAML 2.0 Service URL field. Then, in the Microsoft ADFS Wizard, paste the URL into the Relying party SAML 2.0 SSO service URL field.
  2. In the Microsoft ADFS Wizard, select Next. The Configure Identifiers step is displayed.
  3. Copy the URL from the Identifier field in Invicti. Then, in the Microsoft ADFS Wizard, paste the URL into the Relying party trust identifier field.

  1. Select Add, then Next. The Choose Access Control Policy step is displayed.
  2. Select Permit everyone, then click Next. The Ready to Add Trust step is displayed.

  1. Review your settings, and select Next. The Finish step is displayed.

  1. Click Close.

Step 2: Edit the Claim Issuance Policy

  1. Open Microsoft Active Directory Federation Services Management.
  2. From the ADFS node, select Relying Party Trusts. The Relying Party Trust you have just created is listed in the Central Panel.
  3. Right-click the relying party trust and choose Edit Claim Issuance Policy. The Edit Claim Issuance Policy dialog box is displayed.

  1. Click Add Rule. The Add Transform Claim Rule wizard is displayed.
  2. From the Claim rule template drop-down, select Send LDAP Attributes as Claims.
  3. Click Next.

  1. In the Claim rule name field, enter a name.
  2. From the Attribute store drop-down, select Active Directory.
  3. In the Mapping of LDAP attributes to outgoing claim types section, select the following attributes from the drop-down lists.

LDAP Attributes

Outgoing Claim Type

E-Mail-Addresses

E-Mail Address

Given-Name

Given Name

Surname

Surname

  1. Click Finish to display the Edit Claim Issuance Policy window.
  2. Click Add Rule.
  3. Select Transform an Incoming Claim as the claim rule template to use and click Next.
  4. Configure the Transforming an Incoming Claim as shown in the following image:
  • Enter Claim rule name. In this example we use Email Transform.
  • In Incoming claim type drop-down select: E-Mail Address.
  • In Outgoing claim type drop-down select: Name ID.
  • In Outgoing name ID format drop-down select: Email.

  1. Click Finish.
  2. Download ADFS SAML Metadata from https://<server-address>/FederationMetadata/2007-06/FederationMetadata.xml
  3. Open the downloaded ADFS SAML metadata file and copy the URL located in the EntityDescriptor node > entityID attribute.

  1. From Invicti Platform’s main menu select Settings > Security & Access Control > SSO. 
  2. Turn on the Enable SSO toggle.
  3. Select ADFS from the SSO Provider drop-down list.
  4. Paste the URL from Step 16 into the  IdP Identifier field.
  5. Copy the URL from the SingleSignOnService node>Location attribute field in the ADFS SAML metadata file.
  6. Paste the URL into the SAML 2.0 Endpoint field in Invicti.
  7. Copy the content of the X509 Certificate node (signing) in the ADFS SAML metadata file.
  8. Paste it into the X.509 Certificate field in Invicti.

  1. Select the checkboxes for signed assertions, encrypted assertions, or sign requests as needed.

  1. If you enable any assertions or requests, a new section appears where you can generate a new certificate or upload an existing one.
  2. Use the Invicti’s SSO Exemptions dropdown to select users who can log in to Invicti via password.
  3. Click Save to finish the configuration.

To learn more about the Single Sign-On fields, refer to the Single Sign-On configuration document.

Share This Article