Integration

Integrating Keyless with Active Directory Federation Services

This guide details the steps required to configure Keyless for your AD FS instance.

This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (AD FS) 2016 or 2019. For more information on installing AD FS, please see the AD FS 2016 Deployment Guide

Step 1: Create Relying Party Trust

Log in to your AD FS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
This will open a 5-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
In the following screen, import data about the relying party published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://contoso-poc-registration.keyless.technology/metadata/ where <contoso-poc> represents the handle used to identify your instance.
After inserting the URL, click “Next”.
You may now optionally change the Display name for the relying party, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
In the next step, you will be required to define the access control policy, this will configure which user and groups will be able to register and use Keyless. After selecting the proper users and groups, click “Next”.
Define the Keyless access policy for your organization.
Review the parameters configured and click "Next" when ready.
In the last step, leave the checkbox checked. When done, click “Close” and finish the process of adding the Relying Party Trust.

Step 2: Configure Claim Issuance Policy

After completing Step 1 above, you should be able to see the new relying party trust you’ve just created under the “Relying Party Trusts” folder in your AD FS Management Portal.

Right-click on the relying party trust you’ve just added, and select “Edit Claim Issuance Policy” from the menu.
In this step you will define the rules that will transform the claims sent to the Keyless relying party.
Add Rule 1: Send UPN as Email Address, in the bottom part of the dialog:
- Rule Type: “Send LDAP Attributes as Claims”
- Rule Name: “Send UPN as email address”
- LDAP Attribute: User-Principal-Name
- Outgoing Attribute: E-mail Address
- After clicking "Finish" you should see the following rule:
Add Rule 2: Send UPN as NameID, in the bottom part of the dialog:
- Rule Type: “Send LDAP Attributes as Claims”
- Rule Name: “Send UPN as NameID”
- LDAP Attribute: User-Principal-Name
- Outgoing Attribute: Name ID
- Define the mapping between the UPN and the Name ID
After adding these two rules, you should see the following list of rules in the “Issuance Transform Rules” dialog.
Click "Apply" and "OK" to save your changes.

Congratulations, you have successfully integrated Keyless with your AD FS instance! 😎

Optionally, configure Keyless as an MFA method for your AD FS connected applications.

Last updated 4 months ago

Was this helpful?

Step 1: Create Relying Party Trust

Log in to your AD FS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management

Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.

This will open a 5-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.

In the following screen, import data about the relying party published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://contoso-poc-registration.keyless.technology/metadata/ where <contoso-poc> represents the handle used to identify your instance.

After inserting the URL, click “Next”.

You may now optionally change the Display name for the relying party, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.

In the next step, you will be required to define the access control policy, this will configure which user and groups will be able to register and use Keyless. After selecting the proper users and groups, click “Next”.

Define the Keyless access policy for your organization.

Review the parameters configured and click "Next" when ready.

In the last step, leave the checkbox checked. When done, click “Close” and finish the process of adding the Relying Party Trust.

Step 2: Configure Claim Issuance Policy

After completing Step 1 above, you should be able to see the new relying party trust you’ve just created under the “Relying Party Trusts” folder in your AD FS Management Portal.

Right-click on the relying party trust you’ve just added, and select “Edit Claim Issuance Policy” from the menu.

In this step you will define the rules that will transform the claims sent to the Keyless relying party.

Add Rule 1: Send UPN as Email Address, in the bottom part of the dialog:

Rule Type: “Send LDAP Attributes as Claims”
Rule Name: “Send UPN as email address”
LDAP Attribute: User-Principal-Name
Outgoing Attribute: E-mail Address
After clicking "Finish" you should see the following rule:

Add Rule 2: Send UPN as NameID, in the bottom part of the dialog:

Rule Type: “Send LDAP Attributes as Claims”
Rule Name: “Send UPN as NameID”
LDAP Attribute: User-Principal-Name
Outgoing Attribute: Name ID
Define the mapping between the UPN and the Name ID

After adding these two rules, you should see the following list of rules in the “Issuance Transform Rules” dialog.

Click "Apply" and "OK" to save your changes.

Congratulations, you have successfully integrated Keyless with your AD FS instance! 😎