Configure ADFS 2.0 for SSO Integration
search cancel

Configure ADFS 2.0 for SSO Integration

book

Article ID: 287398

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to configure ADFS 2.0 for SSO Integration

Environment

  • EDR (formerly CB Response) Server: All Supported Versions
  • Active-Directory: ADFS 2.0

Resolution

  1. Access the ADFS Management Tool.
  2. Create a new relying party trust:
  • Import data about the relying party from the cb-metadata.xml file generated earlier in the sso setup process (see below):
  • Ensure that the Display Name from cb-metadata.xml matches the “sp”:”name” value from /etc/cb/sso/sso.conf.
  1. Edit the claim rules to create rules for EDR:
  • Ensure that the value in NameID matches the EDR login name. (The EDR server depends on this.)
  • The EDR server uses the transient NameID policy, so be sure that claim rules comply with this policy.

Example:

  • a. Right-click on the relying party trust created above and select Edit Claim Rules.
  • b. Add a new rule to use Active Directory SAM-Account-Name as the Common Name.
  • c. Click OK.
  • d. Right-click on the relying party trust again and select Edit Claim Rules.
  • e.  Add a new rule to translate Common Name to the NameID transient format.
  • f.  Click OK.
  1. Above the SAM Account Name and NameID claim rules, add these additional claim rules:
  • a. Add a given_name rule as follows:
  • b. Add a last_name rule as follows:
  • c. Add an email rule as follows:
  • d. Add a role rule as follows. This rule can contain any mapping needed for groups in the Active Directory. Validate that changes are reflected in the attr_map.py file.
  1. Change the default Secure hash algorithm to SHA-1 as follows:

Next, add a special filter in IIS to allow logout requests to go through.

To add an IIS filter for ADFS logout:

  1. Open IIS Manager.
  2. In the left pane, locate the adfs/ls directory:
  1. In the right pane, select Request Filtering:
  1. Select the Query Strings tab:
  1. Select the Allow Query String action:

  1. Add in a new Query string called SAMLRequest.

  1. Select the Edit Feature Settings action:

  1. Change Maximum query string (Bytes) to 4096:
  1. Restart the ADFS/LS IIS web pages to implement these changes.
Powered by Wolken Software