You are currently reviewing an older revision of this page.

Microsoft ADFS Configuration for SAML 2.0

Microsoft ADFS Configuration for SAML 2.0

Introduction

This guide provides step-by-step instructions for configuring a basic Identity Federation deployment between Microsoft Active Directory Federation Services (AD FS) and Bentley's Identity Management System (IMS). 

The document is intended for server and active directory administrators with knowledge of ADFS. 

Prerequisites

  • This guide assumes that your AD FS is properly setup on a SSL/TLS endpoint using HTTPS and the authentication address is accessible by your corporate users.
  • Federation can only be configured for an email domain which is owned by your organization. 

Setup 

Step 1 - Register IMS as a Relying Party (RP) in ADFS

  1. Open ADFS Management and navigate to Trust Relationships Relying Party Trusts
  2. Click Add Relying Party Trust
  3. This will be claims aware, click Start.
  4. In the Select Data Source screen, select the last option “Enter data about the relying party manually”. Hit Next.

     5. For the Display Name, supply “Bentley IMS”. Hit Next.

    6. On the Configure Certificate menu, hit Next.

    7. On the next screen, select the “Enable support for the SAML 2.0 WebSSO protocol” and supply the URL: https://ims.bentley.com/sp/ACS.saml2

    8. On the next screen, supply the following URL for the Relying party trust identifier and hit add: https://ims.bentley.com/ 

    

  1. On the next screen, you’ll be asked about MFA or restrictions to a certain group. Bentley recommends allowing everyone to use our app. The “Permit Everyone” option is automatically highlighted. Hit Next. 
  2. On the "Ready to Add Trust" page, just Next. Then close the next pop up too.

Step 2 - Setup Claims Issuance

If the Edit Claim Rules wizard does not open automatically, access it from the AD FS Management application under AD FS > Trust Relationships > Relying Party Trusts.  Click Edit Claim Rules ... on the right hand side. 

  1. On the Edit Claim Rules page, click Add Rule.
  2. Select the claim rule template Send LDAP Attributes as Claimsfrom the dropdown and click Next.

  1. Select the attribute store Active Directory. Select the following LDAP Attributes and outgoing claims using the screenshot below as a reference.

Notes:

  1. The Country attribute is typically stored in the LDAP database under an attribute named “c”, however in your tenant it may be stored elsewhere, so verify the location of the country information for your tenant. If "c" is not in the drop-down list, and that is where your country information is stored, you must manually type “c” into the blank attribute box.  Regardless of where it is stored in LDAP, the outgoing claim should be called “Country”.   
  2. If you define “c” as the country attribute, you will also need to define the correct schema for the “c” attribute in the Claim Descriptions as seen below or it could cause the federation to fail:

Schema for above: 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country

This completes the ADFS server configuration portion for Single Sign On with Bentley IMS using the SAML 2.0 Protocol.

Step 3 - Provide your Organization's Federation Metadata URL to Bentley

Your organization's Federation Metadata URL is available in the AD FS Management Console.

Browse to Service > Endpoints > Metadata > Type:Federation Metadata to find your federation metadata URL.

Communities
Support and Services
Training and Learning
Social Media