Skip to main content

Microsoft ADFS integration with SAML

ADFS is a software solution developed by Microsoft that can run as a component on Windows Server operating systems. It provides SSO to applications that cross organization boundaries by the secure sharing of entitlement rights and digital identity. AD FS can be configured to authenticate users stored in an LDAP directory (for more information, refer to the Microsoft Configure AD FS to authenticate users stored in LDAP directories document.).

info

These instructions were prepared using Windows Server 2022.

This document explains how to configure Active Directory Federation Services (ADFS) and Invicti Platform for Single Sign-On.

Configure Microsoft AD FS with SAML

There are two parts to this procedure:

Step 1: Add a Relying Party Trust

  1. Open Microsoft Active Directory Federation Services Management.
  2. From theADFS node, select Relying Party Trusts.
  3. In the Actions panel, select Add Relying Party Trust.
Open Microsoft Active Directory Federation Services Management
  1. In the Welcome step, click Start.
Start Add Relying Party Trust Wizard
  1. Select Enter data about the relying party manually, and click Next.
Select data source for relying party trust
  1. In the Display Name field, enter a display name, then click Next. The Configure Certificate step is displayed.
  2. Accept the defaults by selecting Next. The Configure URL step is displayed.
Configure display name for relying party trust
  1. Select Enable support for the SAML 2.0 WebSSO protocol.
Configure display name for relying party trust
  1. Log in to Invicti Platform and from the menu, select Settings > Security & access control > SSO & Provisioning.
  2. Turn on the Enable SSO toggle.
  3. Select ADFS from the SSO Provider drop-down list.
Enable SAML 2.0 WebSSO protocol and configure Invicti SSO

  1. Copy the URL from the SAML 2.0 Service URL field. Then, in the Microsoft ADFS Wizard, paste the URL into the Relying party SAML 2.0 SSO service URL field.

  2. In the Microsoft ADFS Wizard, select Next. The Configure Identifiers step is displayed.

  3. Copy the URL from the Identifier field in Invicti. Then, in the Microsoft ADFS Wizard, paste the URL into the Relying party trust identifier field.

Configure relying party trust identifier
  1. Select Add, then Next. The Choose Access Control Policy step is displayed.
  2. Select Permit everyone, then click Next. The Ready to Add Trust step is displayed.
Choose Access Control Policy - Permit everyone
  1. Review your settings, and select Next. The Finish step is displayed.
Review settings and finish relying party trust
  1. Click Close.
Complete Add Relying Party Trust Wizard

Step 2: Edit the Claim Issuance Policy

  1. Open Microsoft Active Directory Federation Services Management.
  2. From the ADFS node, select Relying Party Trusts. The Relying Party Trust you have just created is listed in the Central Panel.
  3. Right-click the relying party trust and choose Edit Claim Issuance Policy. The Edit Claim Issuance Policy dialog box is displayed.
Edit Claim Issuance Policy from Relying Party Trusts
  1. Click Add Rule. The Add Transform Claim Rule wizard is displayed.
  2. From the Claim rule template drop-down, select Send LDAP Attributes as Claims.
  3. Click Next.
Add Transform Claim Rule wizard - Send LDAP Attributes

  1. In the Claim rule name field, enter a name.

  2. From the Attribute store drop-down, select Active Directory.

  3. In the Mapping of LDAP attributes to outgoing claim types section, select the following attributes from the drop-down lists.

LDAP AttributesOutgoing Claim Type
E-Mail-AddressesE-Mail Address
Given-NameGiven Name
SurnameSurname
Configure LDAP attributes mapping to claim types
  1. Click Finish to display the Edit Claim Issuance Policy window.
  2. Click Add Rule.
  3. Select Transform an Incoming Claim as the claim rule template to use and click Next.
  4. Configure the Transforming an Incoming Claim as shown in the following image:
    • Enter Claim rule name. In this example Email Transform is used.
    • In Incoming claim type drop-down select: E-Mail Address.
    • In Outgoing claim type drop-down select: Name ID.
    • In Outgoing name ID format drop-down select: Email.
Transform incoming claim configuration for Email Transform
  1. Click Finish.
  2. Download ADFS SAML Metadata from https://<server-address>/FederationMetadata/2007-06/FederationMetadata.xml
  3. Open the downloaded ADFS SAML metadata file and copy the URL located in the EntityDescriptor node > entityID attribute.
  4. From Invicti Platform's main menu select Settings > Security & access control > SSO & Provisioning.
  5. Turn on the Enable SSO toggle.
  6. Select ADFS from the SSO Provider drop-down list.
  7. Paste the URL from Step 16 into the IdP Identifier field.
  8. Copy the URL from the SingleSignOnService node > Location attribute field in the ADFS SAML metadata file.
  9. Paste the URL into the SAML 2.0 Endpoint field in Invicti.
  10. Copy the content of the X509 Certificate node (signing) in the ADFS SAML metadata file.
  11. Paste it into the X.509 Certificate field in Invicti.
Configure Invicti SSO settings with ADFS metadata
  1. Select the checkboxes for signed assertions, encrypted assertions, or sign requests as needed.
Configure additional security options for assertions and certificates
  1. If you enable any assertions or requests, a new section appears where you can generate a new certificate or upload an existing one.
  2. Use the Invicti's SSO Exemptions drop-down to select users who can log in to Invicti via password.
SSO Exemptions field in Invicti Platform.
  1. Click Save to finish the configuration.
info

To learn more about the Single Sign-On fields, refer to the Single Sign-On configuration document.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?