SAML - Active Directory Federation Services

KACE Cloud MDM subscribers can use Active Directory Federation Services (ADFS) when setting up single sign-on (SSO) in Windows environments. ADFS allows identity information sharing outside of a company’s network, while adding an additional layer of security beyond a third party active directory.


Prerequisites:
  • Server Host - Microsoft Windows Server 2012 and above with ADFS installed.
    • Example of AD domain:DOMAIN.NAME Note: The ADFS Server must support TLS 1.2.
  • DNS Setup - A Windows host name that must be accessible from the public internet.
    • Example of host name: fs.domain.name.
  • KACE Cloud MDM subscription - Active KACE Cloud subscription.
    • Example of tenant: 'companyA'. Example of portal: https://companyA.kacecloud.com

Tip: To set up an identity provider protocol using SAML and ADFS, open both KACE Cloud MDM and your ADFS Windows Server.

In KACE Cloud MDM:

  1. Select the Settings tab in top navigation.
  2. Choose Single Sign-On in left navigation.
  3. Select the SAML v2.0.


Step 1. Import configuration URL from identity provider.

In KACE Cloud MDM:

  1. Construct a new URL to the location of the Federation Metadata xml document on your ADFS server. For ADFS 3.0, the URL would be https://<adfs-server-address> + /FederationMetadata/2007-06/FederationMetadata.xml where <adfs-server-address> is the DNS of your ADFS server.
    • Constructed: https://adfs.server.address/FederationMetadata/2007-06/FederationMetadata.xml
  2. Paste the newly created URL into the Import from URL field.
  3. Tip: Before you Import - Verify that the newly create URL is valid by pasting it into your browser’s address bar. The FederationMetadata.xml document should automatically download. If the file does not download to your device, please update settings within your ADFS server.

  4. Click Import.

Once imported, the majority of information will be populated in the main SSO configuration form in KACE Cloud MDM.


Step 2. Update SAML settings.

  1. Ensure that the Logout URL is the same as Sign-On URL.
    • If the Logout URL doesn’t pre-populate, copy from the Sign-On URL.
    • The address can also be found in the Federation Metadata XML document.

2. Enable Signature Fields: The SAML Signature Key Name and Signature Algorithm fields are not visible until the 'Send signed requests' box is checked.

Select the following values for the listed controls:

  • Send Signed Requests - Value: Check
  • NameID Policy Format - Value: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
  • SAML Signature Key Name - Value: CERT_SUBJECT
  • Signature Algorithm - Value: RSA_SHA256

OPTIONAL: To enable and display the Validating Certificates text box, click the 'Validate signatures of identity provider requests/responses' box.

Note: If the certificate value was included in the FederationMetadata.xml document constructed in Step 1, it should be displayed in the Validating Certificates text box–if not, you will need to manually paste in the appropriate value.

3. Click Save Settings at bottom of page.


Step 3. Confirm user attribute mappings.

To transform SAML-ADFS attributes to KACE Cloud MDM attributes, add the following values in the User Attribute Mappings section:

  • Attribute: Email - Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Attribute: First Name - Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • Attribute: Last Name - Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Note: When setting up claim rules in ADFS (Rule 2 under Edit Claim Issuance), the attribute SAM-Account-Name is one of four minimum requirements even though it is not represented in KACE Cloud MDM attribute choices. But it is a requirement for successful configuration of ADFS-SSO in KACE Cloud MDM.


Step 4. Assign user roles.

To assign Device User Role:

If Automatic: Assign all SSO users the Device User role is chosen, all users will be assigned the Device User role.

To assign Device Admin Role:

If Automatic: Define certain attributes to assign SSO users the Device User role is chosen, add the following values to the corresponding fields:

  • Description: A unique description for this group mapping.
  • Attribute Name:http://schemas.xmlsoap.org/claims/Group
  • Attribute Value: An Attribute Value from the http://schemas.xmlsoap.org/claims/Group node in SAML document that corresponds to the group you will map in Step 6.

Click Save Settings.


Step 5. Obtain SAML service provider descriptor URI.

In KACE Cloud MDM:

The SAML service provider descriptor URI is the Redirect URL found at the top of the Wizard.

  1. Click Copy to the right of the Redirect URL field.

IMPORTANT: Copy the Redirect URL now, then when asked to Select Data Source in Step 6 in the ADFS Wizard, paste the URL and append it with /descriptor . Example of full URL: https://auth.service.kacecloud.com/auth/realms/kace-cloud/broker/heliumsso/endpoint/descriptor

2. Click Save Settings.


Step 6. Set up relying party trust in ADFS.

In your ADFS Windows Server:

There are two parts to Step 6: Setting up the Relying Party Trust Wizard then Editing Claim Issuance by adding rules.

I. Relying Party Trust Wizard

From the ADFS management console:

  1. Open the Relying Party Trusts folder.
  2. Right-click the folder and choose Add Relying Party Trust from the menu.

The step above will open the Add Relying Party Trust Wizard. The wizard has six sections.

Section 1: Welcome

  1. Select Claims aware.
    • ADFS will send claim information like user attributes and group details to KACE Cloud MDM for mapping.
  2. Click Start.

Section 2: Select Data Source

  1. Select the first ‘Import data ...’ radio button.
  2. Enter the Redirect URL obtained in Step 5 into the ‘Federation metadata’ address field.
    • https://auth.service.kacecloud.com/auth/realms/kace-cloud/broker/heliumsso/endpoint/descriptor

    • This serves as the SAML descriptor and will allow ADFS to import settings.
  3. Click Next.

Section 3: Specify Display Name

  1. Enter your Display Name.
    • Your Display Name needs to be unique within ADFS. (Example: Your tenant name.)
  2. Enter any notes.
  3. Click Next.

Section 4: Choose Access Control Policy

  1. Accept default or make selection.
  2. Click Next.

Section 5: Ready to Add Trust

The relying party trust has been successfully configured.

  1. Review Settings across the available tabs.
  2. Click Next to Finish configuration of relying party trust.

Section 6: Finish

The relying party trust has been successfully added.

  1. Leave box checked so you can move on to Edit Claim Rules.
  2. Click Next, then Close to finish the wizard.


II. Edit Claim Issuance: Add Rules

Once you finish the wizard, you should be returned to the full list of Relying Party Trusts.

  1. In the list, right-click your newly created party trust.
  2. Select Edit Claim Issuance Policy from the dropdown.

This will open the 'Add Rule' window.

  • Click Add Rule to map each claim rule.

We’ll map the following three rules as examples:

  1. User ID
  2. User Attributes
  3. User Group

Rule 1: User ID

  1. Click Add Rule.
  2. From the Claim rule template dropdown, select Transform an Incoming Claim.
  3. Click Next.

Use the following information to Configure Claim Rule:

  1. Enter a Claim rule name: Example: Name ID.
  2. For Incoming claim type, select Windows Account Name.
  3. For Outgoing claim type, select Name ID.
  4. For Outgoing Name ID format: select Windows Qualified Domain Name.
  5. Select the radio button for Pass through all claim values.
  6. Click Finish, then OK.

Rule 2: User Attributes

  1. Click Add Rule.
  2. From the Claim rule template dropdown, select Send LDAP Attributes as Claims.
  3. Click Next.

Use the following information to Configure Claim Rule:

  1. Enter a Claim rule name. Example: First-Last-SAM-Email
  2. From the Attribute store dropdown, select Active Directory.

At a minimum you will need to add the following four LDAP attributes to the outgoing claim type mappings, but other attributes can be added as needed.

LDAP Attribute Outgoing Claim Type
Given-Name Given Name
Surname Surname
SAM-Account-Name Subject Name
E-Mail-Addresses E-Mail Address

3. Click Finish.

Rule 3: User Group

The third rule will send a group name if the user is a member of a named group. For KACE Cloud MDM, this would allow the admin to automatically assign users to either the 'Device User' or 'Device Admin' roles if they belong to the specified group.

  1. Click Add Rule.
  2. From the Claim rule template dropdown, select Send Group Membership as a Claim.
  3. Click Next.

Use the following information to Configure Claim Rule:

  1. Enter a Claim rule name . Example: DeviceAdmins Group
  2. Browse to locate User’s Group field: Example: CORP\DeviceAdmins
  3. For Outgoing claim type, select Group.
  4. For Outgoing claim value, enter the name of the group. Example: DeviceAdmins
    • The value will be sent to KACE Cloud MDM for users with this group.
  5. Click Finish.


Step 7. Enable and test single sign-on.

After completing Steps 1 through 6, you can enable and test single sign-on.

In KACE Cloud MDM:

  • Check Enable single sign-on at the top of SSO Wizard page, then click Save Settings.

Warning: Before checking 'Immediately redirect to identity provider', it is important to test the success of single sign-on set-up.

  1. Open a new incognito window or private browser to ensure login data is clear.
  2. Go to the KACE Cloud portal but do not log in.
  3. Follow the Single Sign-On workflow using the customizable button.
  4. You will be directed to a KACE Cloud Microsoft login page. Log in using your identity provider credentials.

Single sign-on has been successfully set up if you are taken directly to the Users landing page in KACE Cloud MDM:

Once the setup of single sign-on has been successfully tested, users can be redirected to the identity provider's login screen.