This example shows you how to configure an Identity Provider (IdP) for SAML 2.0 SSO, using Active Directory Federation Services. Once these steps have been completed, you can use the IdP with the procedures described in the article Configuring SAML 2.0 Web SSO for the Service Portal in Commander 6.

Prerequisites for this example

• Commander must be installed with a valid certificate. This example uses an internal certificate authority (CA). See the Knowledge Base article Generating and Installing an SSL Certificate with Active Directory Certificate Services for more information.
• You must have a verified operational Active Directory Federation Services (ADFS) server. See the Microsoft article Verify That a Federation Server Is Operational for more information.
• You need a Service Portal user account to test the configuration. This user must be a member of the domain for which the ADFS server has been configured.
• You must configure Commander for single sign-on and generate Commander metadata as shown in the procedure above.

Configuring the ADFS server for single sign-on

1. On the ADFS Server, launch the ADFS Management Console.
2. Right-click the tree and select Add Relying Party Trust.
3. On the Select Data Source page of the Add Relying Party Trust Wizard, select Import data about the relying party from a file.
   
   
4. Click Browse and navigate to the Commander-sp-metadata.xml file you generated in the previous procedure.
5. On the Specify Display Name page, give the trust configuration an identifying name, such as Commander Service Portal SSO.
   
   
6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party. In a production environment, we do not recommend allowing access to all users.
   
   
7. On the Ready to Add Trust page, review your settings. 
8. On the Finish page, select Open the Edit Claims Rules Dialogue for this relying party trust when the wizard closes, and click Close.
   
   
9. In the Edit Claim Rules window, go to the Issuance Transform Rules tab and click Add Rule.
   
10. In the Add Transform Claim Rule wizard, select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
    
11. Configure the rule to map User-Principal-Name to mail. The mapped attribute must match the Credential Attribute configured above.
    
12. Click Finish.
13. Add another rule to transform an incoming claim and give the rule a name.
    
    
     
14. Configure the rule to map the Windows account name to the Windows-formatted Name ID.
    
15. Verify your settings and click Finish.
    

Testing the configuration 

1. Browse to https://<Commander host>:<port>/portal. You are redirected to a sign-in page on the ADFS server.
2. In the same browser session, log in as a preconfigured Service Portal user. You are able to access the Service Portal without having to log in again.