{"_id":"5a57a19484d000002afc022b","project":"55d535ca988e130d000b3f5c","version":{"_id":"55d535cb988e130d000b3f5f","__v":13,"project":"55d535ca988e130d000b3f5c","hasDoc":true,"hasReference":false,"createdAt":"2015-08-20T02:04:59.052Z","releaseDate":"2015-08-20T02:04:59.052Z","categories":["55d535cc988e130d000b3f60","55d6b238d2a8eb1900109eef","55d6b4f3250d7d0d004274cd","55d7967960fc730d00fc2852","55da9804e835f20d009fc5d0","55e75b1de06f4b190080dbfd","55e75b39e06f4b190080dbfe","55e75b7ae06f4b190080dbff","564f5a4e33082f0d001bb709","570fb64aa38d470e0060cbff","586d0dd89a854123001acd65","586d0e3b9a854123001acd66","5a613b28da07540012e8ca4a"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"55e75b7ae06f4b190080dbff","__v":10,"project":"55d535ca988e130d000b3f5c","version":"55d535cb988e130d000b3f5f","pages":["5637e17197666c0d008656a5","569591a4fcb1032d0089e037","569622eafe18811700c9c19b","5696c9588560a60d00e2c1e0","569709ca0b09a41900b2442b","5697129ac8ded91700307b77","5697190a59a6692d003fad6a","5697192969393517000c8280","569f11908f6d4b0d00f13bb2","56a0030b5b981c2b00383df0"],"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-09-02T20:26:34.258Z","from_sync":false,"order":4,"slug":"frame-platform","title":"Frame Platform"},"user":"57ebf6b80db1190e0094a3ba","githubsync":"","__v":0,"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2018-01-11T17:40:36.085Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":21,"body":"## Introduction\nIntegrating Microsoft Active Directory Federation Services (ADFS) is straightforward. In addition to configuring your Super Admin account on Frame, you will need your organization's assistance in adding Relying Party Trust information to your ADFS configurations. \n\nThere are several pieces of information we are going to cut and paste between Frame and ADFS. \n\n+ The Frame **Custom Authentication Name**. This is a name you pick when you create the custom authentication (see below).\n+ The names of the Frame accounts you want users to access. \n+ The ADFS  **Federation Metadata Document URL**. This is a URL where ADFS keeps the SAML Metadata for your account. \n\nFollowing the steps below, you can find these values and copy them from ADFS to Frame and from Frame to ADFS. You should read this guide all the way through, before beginning, so that you will be able to gather the necessary info for each step ahead-of-time. Once you have the required info, this integration should take less than fifteen minutes. The screenshots below will help guide you. You can click on each screenshot for a larger image in order to view the text more easily. \n\n## Pre-requisites\nFirst, make sure that you have a Platform Ultimate, sometimes called a *Super Admin* account with Custom Authentication enabled. When this is enabled, you should see the *Custom Authentications* section in the Account menu for your Platform Ultimate account. If it is not enabled or if you aren't sure, contact your Frame Account Manager and ask about Custom Authentication.\n\n## Step 1: Create The Custom Authentication\n\nYou will find the Custom Authentications option under the Account Menu for your Platform Ultimate account, as shown below. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/c890115-Frame_9.png\",\n        \"Frame_9.png\",\n        427,\n        281,\n        \"#477db4\"\n      ]\n    }\n  ]\n}\n[/block]\nThe section you want is near the bottom of the page. Click *Add New* under *Custom Authentications*.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/37ae0fc-Frame_10.png\",\n        \"Frame_10.png\",\n        583,\n        221,\n        \"#eaf1f0\"\n      ]\n    }\n  ]\n}\n[/block]\nCreate a unique Custom Authentication name. The name should be something no one else would use. It should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case sensitive in that you will need to use this name exactly as it appears in later steps in this guide; upper and lower case matter.  \n\nFor the Entity ID, enter **https://img.mainframe2.com**.  \n\nCheck *Signed SAML2 Assertion*. Leave the *Signed SAML2 Response* unchecked. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions. \n\nIf you have multiple accounts listed, you may select only the ones you wish to use this Custom Authentication method for. \n\nClick *Add*\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/11f40d4-Frame_6.png\",\n        \"Frame_6.png\",\n        505,\n        616,\n        \"#e6eced\"\n      ]\n    }\n  ]\n}\n[/block]\nOnce completed, you’ll notice that the *Status* is listed as *Missing metadata*. We will come back to this screen to resolve this status in a later step. Be sure to write down the *Name* of your new Custom auth, because we will use this to configure ADFS later on. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/f29aafb-Frame_5.png\",\n        \"Frame_5.png\",\n        735,\n        292,\n        \"#b78a55\"\n      ]\n    }\n  ]\n}\n[/block]\n## Step 2: Add the Relying Part Trust and Claims Rules to ADFS\n\nNow let's perform some setup tasks in your Microsoft ADFS environment to integrate with your new Custom Authentication setup on Frame. The instructions below were created from a Microsoft Windows Server 2016 running ADFS, but should also work well for a Windows Server 2012 R2 infrastructure. You will need to ensure that your ADFS infrastructure is using a valid SSL certificate that can be verified. \n\nFirst, we need to add a new Relying Part Trust. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/1edeffc-ADFS1_OH_26.png\",\n        \"ADFS1_OH_26.png\",\n        980,\n        725,\n        \"#e6e8e4\"\n      ]\n    }\n  ]\n}\n[/block]\nLet's walk through the Add Relying Part Trust Wizard. On the *Welcome* screen, select *Claims aware*, then click *Start*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/62d447b-ADFS1_OH_33.png\",\n        \"ADFS1_OH_33.png\",\n        716,\n        583,\n        \"#f3f3f2\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect *Import data about the relying party published online or on a local network*. \n\nEnter the *Custom auth name* you created above in the following format:  \nhttps://img.mainframe2.com/saml2/metadata/[CUSTOM_AUTHENTICATION_NAME]/\n\nIn this example that would be:\nhttps://img.mainframe2.com/saml2/metadata/FEPTSERV/\n\nRemember that this URL is case sensitive. \n\nEnsure there are no errors when clicking Next. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/894ab79-ADFS1_OH_8.png\",\n        \"ADFS1_OH_8.png\",\n        715,\n        580,\n        \"#f2f2f0\"\n      ]\n    }\n  ]\n}\n[/block]\nEnter a *Display name* on the next screen and click *Next*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/ace6eab-ADFS1_OH_23.png\",\n        \"ADFS1_OH_23.png\",\n        712,\n        583,\n        \"#f3f3f2\"\n      ]\n    }\n  ]\n}\n[/block]\nNow choose which Access Control Policy is appropriate for your organization. For example, to ensure that Frame works for all users in your organization, regardless of their location on your network or the internet, you should choose *Permit everyone*. Frame recommends starting with *Permit Everyone* and testing authentication with your new Custom Authentication integration, so that you will know if your configuration works successfully, before moving to a more restrictive Access Control Policy. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/77d5113-ADFS1_OH_22.png\",\n        \"ADFS1_OH_22.png\",\n        717,\n        580,\n        \"#245b9b\"\n      ]\n    }\n  ]\n}\n[/block]\nNow review the details in the various tabs of the summary portion of the wizard titled *Ready to Add Trust*. Click *Next*, when ready to finalize your Relying Party Trust configuration. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/7bfacc2-ADFS1_OH_7.png\",\n        \"ADFS1_OH_7.png\",\n        718,\n        582,\n        \"#f2f2f1\"\n      ]\n    }\n  ]\n}\n[/block]\nThe *Finish* screen shows that you have added the Relying Party Trust successfully. Leave the checkbox checked for *Configure claims issuance policy for this application*, so that we can easily proceed to the next steps. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/3897d2e-ADFS1_OH_20.png\",\n        \"ADFS1_OH_20.png\",\n        715,\n        582,\n        \"#f3f3f3\"\n      ]\n    }\n  ]\n}\n[/block]\nThe *Edit Claims* window will appear. If you don't see it, it may be hidden behind other windows on your screen. Click *Add Rule...*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/cdd6afc-ADFS1_OH_19.png\",\n        \"ADFS1_OH_19.png\",\n        484,\n        542,\n        \"#eff0ee\"\n      ]\n    }\n  ]\n}\n[/block]\nOn the _Choose Rule Type_ screen, select *Send LDAP Attributes as Claims*, then click *Next*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/735fd70-ADFS1_OH_18.png\",\n        \"ADFS1_OH_18.png\",\n        715,\n        581,\n        \"#f2f2f0\"\n      ]\n    }\n  ]\n}\n[/block]\nName your *Claim rule name*. We'll now add three LDAP attributes to outgoing claim types as follows. Click *Finish*, once completed. \n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"LDAP Attribute\",\n    \"h-1\": \"Outgoing Claim Type\",\n    \"0-0\": \"User-Principal-Name\",\n    \"0-1\": \"mail\",\n    \"1-0\": \"Surname\",\n    \"1-1\": \"sn\",\n    \"2-0\": \"Given-Name\",\n    \"2-1\": \"givenName\"\n  },\n  \"cols\": 2,\n  \"rows\": 3\n}\n[/block]\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/81e7bee-ADFS1_OH_15.png\",\n        \"ADFS1_OH_15.png\",\n        717,\n        580,\n        \"#eeeeec\"\n      ]\n    }\n  ]\n}\n[/block]\nYou'll see your new Rule added to the *Issuance Transform Rules* screen. We're going to add one more Rule, so click *Add Rule* again. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/d883bf5-ADFS1_OH_14.png\",\n        \"ADFS1_OH_14.png\",\n        487,\n        543,\n        \"#f0f0ef\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect *Transform an Incoming Claim* for this *Claim rule template*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/864c460-ADFS1_OH_13.png\",\n        \"ADFS1_OH_13.png\",\n        715,\n        584,\n        \"#f2f2f0\"\n      ]\n    }\n  ]\n}\n[/block]\nOn the *Configure Claim Rule* screen, enter a *Claim rule name* and enter the following info. \n[block:parameters]\n{\n  \"data\": {\n    \"0-0\": \"Incoming claim type\",\n    \"0-1\": \"mail\",\n    \"1-0\": \"Outgoing claim type\",\n    \"1-1\": \"Name ID\",\n    \"2-0\": \"Outgoing name ID format\",\n    \"2-1\": \"Persistent Identifier\"\n  },\n  \"cols\": 2,\n  \"rows\": 3\n}\n[/block]\nSelect *Pass through all claim values*, then click *Finish*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/5e0c489-ADFS1_OH_12.png\",\n        \"ADFS1_OH_12.png\",\n        718,\n        583,\n        \"#f2f2f0\"\n      ]\n    }\n  ]\n}\n[/block]\nWe're finished with Editing Claim Issuance Policies. You'll see both of your Rules listed. Click *OK* to complete your ADFS configuration. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/b8d9cee-ADFS1_OH_11.png\",\n        \"ADFS1_OH_11.png\",\n        491,\n        538,\n        \"#f0f0ef\"\n      ]\n    }\n  ]\n}\n[/block]\n## Step 3: Complete the Custom Authentication Configuration on Frame\n\nGo back to your Custom Authentications page in your Super Admin account and click Edit on the new Custom Authentication you created in Step 1 above. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/3411dcb-Frame_4.png\",\n        \"Frame_4.png\",\n        1086,\n        359,\n        \"#b68a55\"\n      ]\n    }\n  ]\n}\n[/block]\nWe'll add one piece of info and the Save Changes. In the *Customer metadata URL* field, enter your ADFS Federation Metadata URL, which is your FQDN (hostname) plus a trailing location based on your ADFS infrastructure and web server configuration (see example below). Some organizations use multiple ADFS servers distributed geographically and have advanced networking to route network traffic correctly. Contact your ADFS and networking teams for the correct information. \n\nMicrosoft ADFS uses a default Federation Metadata URL of \nhttps://[ADFS FQDN]/FederationMetadata/2007-06/FederationMetadata.xml\n\nAn example URL might be: \nhttps://adfs1.example.com/FederationMetadata/2007-06/FederationMetadata.xml\n\nThis configuration field is case-sensitive. \n\nYou should leave the other settings you configured previously the same. Click *Save Changes*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/3f0f54e-Frame_7_copy.png\",\n        \"Frame_7_copy.png\",\n        508,\n        621,\n        \"#5f7c77\"\n      ]\n    }\n  ]\n}\n[/block]\nYou will now see your Custom Authentication listed as *Active*. You can exit the *Account Settings* screen and we'll proceed to testing. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/f8aaabe-Frame_2.png\",\n        \"Frame_2.png\",\n        1087,\n        343,\n        \"#b58a56\"\n      ]\n    }\n  ]\n}\n[/block]\n## Step 4: Testing\n\nYou can use the following URL to give to your domain users to login with their Domain credentials: \n\nhttps://img.mainframe2.com/login/?account_type=FEPTSERV&return_url=https://[account URL]/custom_auth_return\n\nThe above URL is case sensitive. \n\nIn our example: \nhttps://img.mainframe2.com/login/?account_type=FEPTSERV&return_url=https://fcn-aws-east.fra.me/custom_auth_return\n\nYour users can login with either format: \nDomain\\username\nusername:::at:::FQDN\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/7a0c3af-ADFS1_OH_Z_1.png\",\n        \"ADFS1_OH_Z_1.png\",\n        993,\n        438,\n        \"#499ae2\"\n      ]\n    }\n  ]\n}\n[/block]\nIf login is successful, you will signed-in to Frame automatically and redirected to the Launchpad. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/41b6767-ADFS1_OH_Z2.png\",\n        \"ADFS1_OH_Z2.png\",\n        993,\n        788,\n        \"#183b54\"\n      ]\n    }\n  ]\n}\n[/block]","excerpt":"","slug":"integrating-with-microsoft-adfs","type":"basic","title":"Integrating with Microsoft ADFS"}

Integrating with Microsoft ADFS


## Introduction Integrating Microsoft Active Directory Federation Services (ADFS) is straightforward. In addition to configuring your Super Admin account on Frame, you will need your organization's assistance in adding Relying Party Trust information to your ADFS configurations. There are several pieces of information we are going to cut and paste between Frame and ADFS. + The Frame **Custom Authentication Name**. This is a name you pick when you create the custom authentication (see below). + The names of the Frame accounts you want users to access. + The ADFS **Federation Metadata Document URL**. This is a URL where ADFS keeps the SAML Metadata for your account. Following the steps below, you can find these values and copy them from ADFS to Frame and from Frame to ADFS. You should read this guide all the way through, before beginning, so that you will be able to gather the necessary info for each step ahead-of-time. Once you have the required info, this integration should take less than fifteen minutes. The screenshots below will help guide you. You can click on each screenshot for a larger image in order to view the text more easily. ## Pre-requisites First, make sure that you have a Platform Ultimate, sometimes called a *Super Admin* account with Custom Authentication enabled. When this is enabled, you should see the *Custom Authentications* section in the Account menu for your Platform Ultimate account. If it is not enabled or if you aren't sure, contact your Frame Account Manager and ask about Custom Authentication. ## Step 1: Create The Custom Authentication You will find the Custom Authentications option under the Account Menu for your Platform Ultimate account, as shown below. [block:image] { "images": [ { "image": [ "https://files.readme.io/c890115-Frame_9.png", "Frame_9.png", 427, 281, "#477db4" ] } ] } [/block] The section you want is near the bottom of the page. Click *Add New* under *Custom Authentications*. [block:image] { "images": [ { "image": [ "https://files.readme.io/37ae0fc-Frame_10.png", "Frame_10.png", 583, 221, "#eaf1f0" ] } ] } [/block] Create a unique Custom Authentication name. The name should be something no one else would use. It should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case sensitive in that you will need to use this name exactly as it appears in later steps in this guide; upper and lower case matter. For the Entity ID, enter **https://img.mainframe2.com**. Check *Signed SAML2 Assertion*. Leave the *Signed SAML2 Response* unchecked. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions. If you have multiple accounts listed, you may select only the ones you wish to use this Custom Authentication method for. Click *Add* [block:image] { "images": [ { "image": [ "https://files.readme.io/11f40d4-Frame_6.png", "Frame_6.png", 505, 616, "#e6eced" ] } ] } [/block] Once completed, you’ll notice that the *Status* is listed as *Missing metadata*. We will come back to this screen to resolve this status in a later step. Be sure to write down the *Name* of your new Custom auth, because we will use this to configure ADFS later on. [block:image] { "images": [ { "image": [ "https://files.readme.io/f29aafb-Frame_5.png", "Frame_5.png", 735, 292, "#b78a55" ] } ] } [/block] ## Step 2: Add the Relying Part Trust and Claims Rules to ADFS Now let's perform some setup tasks in your Microsoft ADFS environment to integrate with your new Custom Authentication setup on Frame. The instructions below were created from a Microsoft Windows Server 2016 running ADFS, but should also work well for a Windows Server 2012 R2 infrastructure. You will need to ensure that your ADFS infrastructure is using a valid SSL certificate that can be verified. First, we need to add a new Relying Part Trust. [block:image] { "images": [ { "image": [ "https://files.readme.io/1edeffc-ADFS1_OH_26.png", "ADFS1_OH_26.png", 980, 725, "#e6e8e4" ] } ] } [/block] Let's walk through the Add Relying Part Trust Wizard. On the *Welcome* screen, select *Claims aware*, then click *Start*. [block:image] { "images": [ { "image": [ "https://files.readme.io/62d447b-ADFS1_OH_33.png", "ADFS1_OH_33.png", 716, 583, "#f3f3f2" ] } ] } [/block] Select *Import data about the relying party published online or on a local network*. Enter the *Custom auth name* you created above in the following format: https://img.mainframe2.com/saml2/metadata/[CUSTOM_AUTHENTICATION_NAME]/ In this example that would be: https://img.mainframe2.com/saml2/metadata/FEPTSERV/ Remember that this URL is case sensitive. Ensure there are no errors when clicking Next. [block:image] { "images": [ { "image": [ "https://files.readme.io/894ab79-ADFS1_OH_8.png", "ADFS1_OH_8.png", 715, 580, "#f2f2f0" ] } ] } [/block] Enter a *Display name* on the next screen and click *Next*. [block:image] { "images": [ { "image": [ "https://files.readme.io/ace6eab-ADFS1_OH_23.png", "ADFS1_OH_23.png", 712, 583, "#f3f3f2" ] } ] } [/block] Now choose which Access Control Policy is appropriate for your organization. For example, to ensure that Frame works for all users in your organization, regardless of their location on your network or the internet, you should choose *Permit everyone*. Frame recommends starting with *Permit Everyone* and testing authentication with your new Custom Authentication integration, so that you will know if your configuration works successfully, before moving to a more restrictive Access Control Policy. [block:image] { "images": [ { "image": [ "https://files.readme.io/77d5113-ADFS1_OH_22.png", "ADFS1_OH_22.png", 717, 580, "#245b9b" ] } ] } [/block] Now review the details in the various tabs of the summary portion of the wizard titled *Ready to Add Trust*. Click *Next*, when ready to finalize your Relying Party Trust configuration. [block:image] { "images": [ { "image": [ "https://files.readme.io/7bfacc2-ADFS1_OH_7.png", "ADFS1_OH_7.png", 718, 582, "#f2f2f1" ] } ] } [/block] The *Finish* screen shows that you have added the Relying Party Trust successfully. Leave the checkbox checked for *Configure claims issuance policy for this application*, so that we can easily proceed to the next steps. [block:image] { "images": [ { "image": [ "https://files.readme.io/3897d2e-ADFS1_OH_20.png", "ADFS1_OH_20.png", 715, 582, "#f3f3f3" ] } ] } [/block] The *Edit Claims* window will appear. If you don't see it, it may be hidden behind other windows on your screen. Click *Add Rule...*. [block:image] { "images": [ { "image": [ "https://files.readme.io/cdd6afc-ADFS1_OH_19.png", "ADFS1_OH_19.png", 484, 542, "#eff0ee" ] } ] } [/block] On the _Choose Rule Type_ screen, select *Send LDAP Attributes as Claims*, then click *Next*. [block:image] { "images": [ { "image": [ "https://files.readme.io/735fd70-ADFS1_OH_18.png", "ADFS1_OH_18.png", 715, 581, "#f2f2f0" ] } ] } [/block] Name your *Claim rule name*. We'll now add three LDAP attributes to outgoing claim types as follows. Click *Finish*, once completed. [block:parameters] { "data": { "h-0": "LDAP Attribute", "h-1": "Outgoing Claim Type", "0-0": "User-Principal-Name", "0-1": "mail", "1-0": "Surname", "1-1": "sn", "2-0": "Given-Name", "2-1": "givenName" }, "cols": 2, "rows": 3 } [/block] [block:image] { "images": [ { "image": [ "https://files.readme.io/81e7bee-ADFS1_OH_15.png", "ADFS1_OH_15.png", 717, 580, "#eeeeec" ] } ] } [/block] You'll see your new Rule added to the *Issuance Transform Rules* screen. We're going to add one more Rule, so click *Add Rule* again. [block:image] { "images": [ { "image": [ "https://files.readme.io/d883bf5-ADFS1_OH_14.png", "ADFS1_OH_14.png", 487, 543, "#f0f0ef" ] } ] } [/block] Select *Transform an Incoming Claim* for this *Claim rule template*. [block:image] { "images": [ { "image": [ "https://files.readme.io/864c460-ADFS1_OH_13.png", "ADFS1_OH_13.png", 715, 584, "#f2f2f0" ] } ] } [/block] On the *Configure Claim Rule* screen, enter a *Claim rule name* and enter the following info. [block:parameters] { "data": { "0-0": "Incoming claim type", "0-1": "mail", "1-0": "Outgoing claim type", "1-1": "Name ID", "2-0": "Outgoing name ID format", "2-1": "Persistent Identifier" }, "cols": 2, "rows": 3 } [/block] Select *Pass through all claim values*, then click *Finish*. [block:image] { "images": [ { "image": [ "https://files.readme.io/5e0c489-ADFS1_OH_12.png", "ADFS1_OH_12.png", 718, 583, "#f2f2f0" ] } ] } [/block] We're finished with Editing Claim Issuance Policies. You'll see both of your Rules listed. Click *OK* to complete your ADFS configuration. [block:image] { "images": [ { "image": [ "https://files.readme.io/b8d9cee-ADFS1_OH_11.png", "ADFS1_OH_11.png", 491, 538, "#f0f0ef" ] } ] } [/block] ## Step 3: Complete the Custom Authentication Configuration on Frame Go back to your Custom Authentications page in your Super Admin account and click Edit on the new Custom Authentication you created in Step 1 above. [block:image] { "images": [ { "image": [ "https://files.readme.io/3411dcb-Frame_4.png", "Frame_4.png", 1086, 359, "#b68a55" ] } ] } [/block] We'll add one piece of info and the Save Changes. In the *Customer metadata URL* field, enter your ADFS Federation Metadata URL, which is your FQDN (hostname) plus a trailing location based on your ADFS infrastructure and web server configuration (see example below). Some organizations use multiple ADFS servers distributed geographically and have advanced networking to route network traffic correctly. Contact your ADFS and networking teams for the correct information. Microsoft ADFS uses a default Federation Metadata URL of https://[ADFS FQDN]/FederationMetadata/2007-06/FederationMetadata.xml An example URL might be: https://adfs1.example.com/FederationMetadata/2007-06/FederationMetadata.xml This configuration field is case-sensitive. You should leave the other settings you configured previously the same. Click *Save Changes*. [block:image] { "images": [ { "image": [ "https://files.readme.io/3f0f54e-Frame_7_copy.png", "Frame_7_copy.png", 508, 621, "#5f7c77" ] } ] } [/block] You will now see your Custom Authentication listed as *Active*. You can exit the *Account Settings* screen and we'll proceed to testing. [block:image] { "images": [ { "image": [ "https://files.readme.io/f8aaabe-Frame_2.png", "Frame_2.png", 1087, 343, "#b58a56" ] } ] } [/block] ## Step 4: Testing You can use the following URL to give to your domain users to login with their Domain credentials: https://img.mainframe2.com/login/?account_type=FEPTSERV&return_url=https://[account URL]/custom_auth_return The above URL is case sensitive. In our example: https://img.mainframe2.com/login/?account_type=FEPTSERV&return_url=https://fcn-aws-east.fra.me/custom_auth_return Your users can login with either format: Domain\username username@FQDN [block:image] { "images": [ { "image": [ "https://files.readme.io/7a0c3af-ADFS1_OH_Z_1.png", "ADFS1_OH_Z_1.png", 993, 438, "#499ae2" ] } ] } [/block] If login is successful, you will signed-in to Frame automatically and redirected to the Launchpad. [block:image] { "images": [ { "image": [ "https://files.readme.io/41b6767-ADFS1_OH_Z2.png", "ADFS1_OH_Z2.png", 993, 788, "#183b54" ] } ] } [/block]