Set Up Microsoft ADFS for Censys SAML Authentication
Follow this guide to enable SSO with Microsoft Active Directory Federation Services (ADFS) as your Identity Provider for Censys authentication.
-
In the Server Manager, open the Tools menu and select the AD FS Management menu item.
-
In the Actions panel on the right-hand, click on Add Relying Party Trust and click the Start button.
-
On the Select Data Source step, elect to "Enter data about the relying party manually" and click Next.
-
On the Specify Display Name step, enter Censys as the display name and click Next.
-
On the Choose Profile step, leave AD FS profile selected and click Next.
-
Leave the Configure Certificate step blank and click Next.
-
On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol.
Paste the Metadata URL in the SP Details section of your Censys team’s authentication page into the text box under Relying party SML 2.0 SSO service URL.
Click Next.
-
On the Configure Identifiers step, enter https://censys.io/ as the Relying party trust identifier and click Add, then Next.
-
On the Configure Multi-Factor Authentication step, choose the option that fits your organization’s security setup and best practices.
-
On the Choose Issuance Authorization Rules step, grant or deny blanket access to users as desired. Then click Next.
-
On the Ready page, check that the configuration details are correct and accord with your organization’s security best practices and click Next.
-
On the Finish page, leave the "Open the Edit Claim Rules" dialog checkbox selected and click Close.
-
In the new Edit Claim Rules for Censys window, on the "Issuance Transform Rules" tab, click Add Rule in order to map attributes in ADFS to claims that Censys expects.
-
On the Select Rule Template step, under the Claim rule template dropdown, leave "Send LDAP Attributes as Claims" selected and click on Next.
-
On the Configure Claim Rule step, enter Censys Attributes as the Claim rule name.
Select Active Directory from the dropdown menu under Attribute store.
In the mapping table, map the LDAP Attribute "Given-Name" to the Outgoing Claim type FirstName and the LDAP Attribute "Surname" to Outgoing Claim type LastName. Click Finish.
-
Once again in the Edit Claim Rules for Censys window, on the "Issuance Transform Rules" tab, click Add Rule.
-
On the Select Rule Template step, under the Claim rule template dropdown, select "Transform an Incoming Claim" and click Next.
-
On the Configure Claim Rule step:
-
Enter NameID as the Claim rule name.
-
Select UPN as the Incoming claim type.
-
Select Name ID as the Outgoing claim type.
-
Enter Persistent Identifier as the Outgoing name ID format.
-
Ensure that "Pass through all claim values" is selected.
-
Click Finish.
-
-
Back on the Edit Claim Rules for Censys window, click OK.
-
Configure the ADFS server to decrypt Censys authentication requests with the correct signature.
-
In the Censys web app, navigate to the authentication configuration page by opening the user dropdown menu in the top-right and selecting My Account. On the account page, click on the Team tab and select Authentication from the menu.
-
In the SP Details section, copy the Authentication Request Signing Certificate.
-
Create a new file on the ADFS server and paste the contents of the certificate in it. Name the file censys.cer.
-
Back on the ADFS server, in the tree on the left of the AD FS window, expand Trust Relationships and click on Relying Party Trusts. Then double-click on the Censys relying party trust to edit it.
-
Select the Signature tab and click Add. Select the censys.cer file just created and then click OK.
-
Comments
0 comments
Please sign in to leave a comment.