Adding a Relying Party Trust in AD FS

The AD FS server must be configured to establish a relying party trust with the ShareBase IdP. The following topics describe how to set up a relying party trust using the Add Relying Party Trust Wizard.

To add a relying party trust:

  1. Access the Add Relying Party Trust Wizard on the AD FS server.
  2. If you are using Windows Server 2016 or later, select Claims aware on the Welcome page.
  3. Click Start.
  4. On the Select Data Source page, select Enter data about the relying party manually.
  5. On the Specify Display Name page, enter a display name for the ShareBase IdP.
  6. On the Choose Profile page (Windows Server 2012 or 2012 R2), select the latest available profile for your version of AD FS.
  7. On the Configure URL page, do the following:
    1. Select Enable support for the WS-Federation Passive protocol.
    2. In the Relying party WS-Federation Passive protocol URL field, enter the path of the ShareBase IdP. This path is the ShareBase API path with idp/ appended.

      For example, the following is the ShareBase IdP path for the United States data center:

      https://app.sharebase.com/sharebaseapi/idp/

      Note:

      The path is case sensitive. Make sure the API path exactly matches the path specified for your deployment. To find the API path for your deployment, open ShareBase Administration, and then open the Deployment Details view. The API path is specified in the API Path field.

  8. On the Configure Identifiers page, enter the path to the ShareBase IdP in the Relying party trust identifier field. This path is the ShareBase API path with idp appended.

    For example, the following is the relying party trust identifier for the United States data center:

    https://app.sharebase.com/sharebaseapi/idp

    Note:

    The path is case sensitive. Make sure the API path exactly matches the path specified for your deployment.

  9. On the Configure Multi-factor Authentication Now? page (Windows Server 2012 R2), select I do not want to configure multi-factor authentication settings for this relying party trust at this time.
  10. On the Choose Issuance Authorization Rules page (Windows Server 2012 or 2012 R2), select one of the following options:
    • Permit all users to access this relying party: Select this option if all user groups should be allowed access to ShareBase by default. Later, you can add claim rules to deny access for certain groups.

    • Deny all users access to this relying party: Select this option if all user groups should be denied access to ShareBase by default. Later, you must add claim rules to permit access for certain groups.

    For more information about these options, see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/gg557738(v=ws.10).

  11. On the Choose Access Control Policy page (Windows Server 2016 and later), do the following:
    1. Select Permit specific group.
    2. Specify each group that should be permitted access to ShareBase.
  12. On the Ready to Add Trust page, review the trust settings and endpoints. The Endpoints tab must contain an endpoint for the identifier URL you configured.
  13. On the Finish page, select the option to configure or edit claim rules.
  14. Click Close. You are prompted to configure claim rules.
  15. Click Add Rule.
  16. Select Send LDAP Attributes as Claims from the Claim rule template drop-down.
  17. Give the claim rule a descriptive name.
  18. Select Active Directory from the Attribute store drop-down.
  19. Map the appropriate LDAP Attributes to the Outgoing Claim Types specified in the following table. LDAP attributes may vary per organization.

    Map This LDAP Attribute

    To This Outgoing Claim Type

    The unique identifier of the user in AD FS

    Name ID

    The email address of the user

    E-Mail Address

    The first and last name of the user

    Name

    Groups the user is a member of

    Group

    Note:

    The attribute mapped to the Name ID must be unique and static for each user. Do not use the email address attribute, which can be changed in AD FS. If users do not have a unique ID, consider using a persistent name identifier. For more information, see https://blogs.msdn.microsoft.com/card/2010/02/17/name-identifiers-in-saml-assertions/.