How to configure Symantec Mobility Suite with ADFS SAML provider

book

Article ID: 181472

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

 

Resolution

Symantec Mobility Suite can be configured to use Active Directory Federation Services (ADFS) as a SAML external identity provider (IDP). The following instructions outline how to configure ADFS as a SAML IDP.

Pre-requisite:  The End-User Portal should be enabled in Mobility Suite. First, enable the Enhanced Store in the Admin console, access:  Settings > Mobility Manager configuration > Enhanced Store. Second, access:  SettingsMobility Manager configuration > End-User Portal, and enable:  Users can browse apps in a web browser on their computer
  

  1. Install and configure ADFS 2.0 on a Windows server, accessible by the Mobility server. Ensure IIS is properly configured for SSL:
      
    http://www.microsoft.com/en-us/download/details.aspx?id=10909 
     
  2. Configure ADFS for Forms Based Authentication (FBA):
     
    http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx
     
  3. Once ADFS is set up, and accessible via SSL from the Mobility server, in the Mobility Admin console console access:  Settings > External IDP > Server Configuration
      
  4. For the Type field, select:  SAML. for Name, enter an appropriate name, for both the SP Partner ID and SP Entity ID fields, enter the Mobility server's / tenant's full URL  (e.g.  https://appcenter.company.com)
      
  5. Select Download SP Metadata File, which downloads an XML file to be imported into ADFS. Make this file accessible by the ADFS server
      
  6. On the ADFS server, open the AD FS 2.0 Management console
      
  7. Access:  AD FS 2.0 > Trust Relationships > Relying Party Trusts, and select:  Add Relying Party Trust...
      
  8. Under Select Data Source, choose:  Import data about a relying party from a file, and browse to the SP metadata XML file downloaded from Mobilty Suite, then Next >
      
  9. Under Specify Display Name, for the Display name field, enter the FQDN of the Mobility server / tenant  (e.g.  appcenter.company.com), then Next >
      
  10. Under Choose Issuance Authorization Rules, choose:  Permit all users to access this relying party, then Next >
      
  11. Under Ready to Add Trust, choose Next >
      
  12. Under Finish, leave Open the Edit Claim Rules... checkbox enabled, then Close
      
  13. In the Edit Claim Rules dialogue-box, under Issuance Transform Rules, select Add Rule...
      
  14. Under Choose Rule Type, for Claim rule template, choose:  Send LDAP Attributes as Claims, then Next >
      
  15. Under Configure Claim Rule, for Claim rule name, enter:  LDAP attribute mappings (or similar), for Attribute store, choose:  Active Directory, and add the following 4 attribute mappings, then Finish:

    E-Mail-Addresses  >  E-Mail Address
    Given-Name  >  Given Name
    Surname  >  Surname
    Token-Groups - Qualified by Domain Name  >  Group
     
  16. Add another claim rule by choosing:   Add Rule..., under Choose Rule Type, for Claim rule template, choose:  Send Claims Using a Custom Rule, then Next >
      
  17. Under Configure Claim Rule, for Claim rule name, enter:  TransientName, for Custom rule, enter the following text, then Finish:

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] &&
c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
=> add(
        store = "_OpaqueIdStore",
        types = ("http://mycompany/internal/sessionid"),
        query = "{0.EN_US};{1.EN_US};{2.EN_US};{3.EN_US};{4.EN_US}",
        param = "useEntropy",
        param = c1.Value,
        param = c1.OriginalIssuer,
        param = "",
        param = c2.Value);

  1. Add a 3rd, and final claim rule,  under Choose Rule Type, for Claim rule template, choose:  Transform an Incoming Claim, then Next >
      
  2. Under Configure Claim Rule, for Claim rule name, enter:  TransientNameID, for Incoming claim type, choose:  Windows account name, for Outgoing claim type, choose:  Name ID, for Outgoing name ID format, choose:  Transient Identifier, choose Pass through all claim values, Finish, then OK to close the Edit Claim Rules... window
      
  3. Download the federation metadata XML file by access the following URL  (replacing [ADFS server name] with the actual name of the ADFS server):  
     
    https://[ADFS server name]/federationmetadata/2007-06/federationmetadata.xml
      
  4. Return to the Mobility admin console, access:  Settings > External IDP > Configure IDP, under Server Configuration for IDP Metadata, choose Upload IDP Metadata and select the federation metadata XML file from above, then Save
      
  5. Map the attributes as follows (for example), then Save:
      
    Username Attribute  >  (either:  .../emailaddress  or  .../windowsaccountname)
    First Name Attribute  >  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Last Name Attribute  >  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    Email Attribute  >  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Group Attribute  >  http://schemas.xmlsoap.org/claims/Group
      
  6. Access Settings > External IDP Group Mappings, and add a Group Mapping for each Mobility group  (i.e.  a corresponding Security Group in Active Directory), then Save
      
    Note:  The Group Search Criteria accepts the following format:  [domain]\[group_name]
      

    Note:  Group Mapping with SAML is only supported in App Center / Mobility Suite version 4.1.8 and greater
      
  7. Access:  Settings > External IDP, and choose:  Enable IDP

 

The Mobility server / tenant will now use ADFS for SAML authentication, for both console and Work Hub Agent access

Note:  To bypass SAML authentication and log into the console as a local administrator account, access the console via the following URL:  
 
https://[Mobility server FQDN]/admin/login