Integration
      Back to home
      1. Knowledge Base
      2. Installation and System Setup
      3. Integration

      OvalEdge_ADFS Configuration

      Active Directory Federation Service (ADFS) enables Federated Identity and Access Management by securely sharing digital identity and entitlement rights across security and enterprise boundaries. ADFS extends the ability to use single sign-on functionality available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.

      This document contains a list of all the documentation overviews for ADFS for Windows Server.

      Prerequisites

      • Active Directory Federation Services (ADFS) is set up.
      • Access to the Windows server with administrative privileges.

      Configuring DSFS in Windows

      This document provides a step-by-step guide for configuring Directory Service and Federation Service (DSFS) in a Windows environment.

      Once the ADFS setup is done, start configuring the Directory Service and Federation Service on the Windows server.

      Configuring Directory Service (DS) in Windows

      Create Domain Users

      1. On the Windows server, open Active Directory Users and Computers.
      2. Navigate to your domain.
      3. Click User as shown below.
      4. Enter the required user details.

      5. Add an email address for the domain user.
      6. Click Apply, then OK.
      7. Organize users into groups as needed.

      Configuring Federation Service (FS)

      Access ADFS Management

      1. Open Administrative Tools from the Start menu.
      2. Click ADFS Management.

      Download Federation Metadata

      1. Go to Service > Endpoints.
      2. Locate the metadata endpoint.
      3. Append the path with HTTPS and the ADFS server's hostname/IP.
        Example URL: https://<ADFS-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml
      4. Download the FederationMetadata.xml file.

      Import Signing Certificate

      1. Obtain the signing certificate file (ADFScert.cer).
      2. Run the following command to import the certificate into the Tomcat SAML keystore:

      keytool -importcert -trustcacerts -alias "adfs" -keystore "C:\path\to\cacerts" -file <path to file path\adfs_onprem.cer

      Configure Oasis Properties

      1. Open the oasis.properties file located in:
        /home/<client>/path/to/extprop/oasis.properties
      2. Set the value for samlHTTPMetadataProvider.
      3. Specify the entityBaseURL as the application deployment path.
      4. Save the file.

      Setting Security Type (Windows & Linux)

      Windows Configuration

      1. Open tomcat9w.exe.
      2. Go to Java Options.
      3. Add the following parameter:
        -DOVALEDGE_SECURITY_TYPE=saml

      Linux Configuration

      1. Edit the setenv.sh file is located at:
        /home/<username>/tomcat_homepath/bin/setenv.sh
      2. Add the following line:
        export CATALINA_OPTS="-DOVALEDGE_SECURITY_TYPE=saml"
      3. Save and grant execute permission.
      4. Restart Tomcat.

      Configuring Relying Party Trust (ADFS)

      Add SAML Metadata

      1. Go to Relying Party Trust in ADFS.
      2. Click Start.
      3. Add the SAML Metadata for the OvalEdge.
        SAML Metadata URL can be downloaded through the application URL, followed by /saml/metadata path.
        https:///saml/metadata
      4. Import this into the Relying Party Trust, and click on Next.
      5. Specify Display Name, and click Next.
      6. Choose the Access Control Policy, and click Next.
      7. Click Next and finish the wizard.

      8. Double-click on the added Relying Party Trust.
      9. Select the Advanced tab, change the Secure Hash Algorithm to SHA1 from SHA256, and click Apply and OK.
      10. Select the Configured Party Trust, and Click on Edit Claim Issuance Policy.
      11. Add the Rule.
      12. Let the Claim Rule Template be sent to the LDAP Attribute as Claims, and click on Next.
      13. Specify the Claim Rule Name, and select Active Directory as the Attribute Store.
        Add the Attributes as given in the image below and click on Finish.
      14. Alternate way, if the SAML-Account-Name is not available.
      15. Click on Apply and OK.

      Initial Login and Setup Instructions

      1. Now, we are all set to use the application configured with ADFS. Go to the Browser and Hit the Application Web URL.
      2. At least one user needs to be OE_ADMIN (Admin role)., It must be updated through the Database. The OvalEdge team will take care of it.
      3. Log in with Domain Admin User Credentials.


        Note:
        If you encounter an error stating "no assertions found in the response," you can resolve it using the following steps:
        1. Open PowerShell on the ADFS server.
        2. Run the following command:
          Set-ADFSRelyingPartyTrust -TargetName <targetName> -SamlResponseSignature "MessageAndAssertion"
        3. <targetName> refers to the Display Name of the Relying Party Trust in ADFS.
        4. For example, if the Relying Party Trust name is "ovaledge," use that as the target name.

               After resolving this issue, log in to the application.