Set Up Microsoft ADFS for Censys SAML Authentication
Use this article to enable SSO with Microsoft Active Directory Federation Services (ADFS) as your Identity Provider for Censys authentication.
-
In the Server Manager, open the Tools menu and select AD FS Management.
-
In the Actions panel on the right, click Add Relying Party Trust and click Start.
-
On the Select Data Source step, select Enter data about the relying party manually and click Next.
-
On the Specify Display Name step, type Censys as the display name and click Next.
-
On the Choose Profile step, leave AD FS profile selected and click Next.
-
Leave the Configure Certificate step blank and click Next.
-
On the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol.
Paste the Metadata URL in the SP Details section of your Censys team’s authentication page into the text box under Relying party SML 2.0 SSO service URL.
Click Next.
-
On the Configure Identifiers step, enter https://censys.io/ as the Relying party trust identifier and click Add, then click Next.
-
On the Configure Multi-Factor Authentication step, select the option that fits your organization’s security setup and best practices.
-
On the Choose Issuance Authorization Rules step, grant or deny blanket access to users as needed. Click Next.
-
On the Ready page, check that the configuration details are correct and accord with your organization’s security best practices and click Next.
-
On the Finish page, leave the Open the Edit Claim Rules dialog checkbox selected and click Close.
-
In the new Edit Claim Rules for Censys window, on the Issuance Transform Rules tab, click Add Rule to map attributes in ADFS to claims that Censys expects.
-
On the Select Rule Template step, on the Claim rule template list, leave Send LDAP Attributes as Claims selected and click Next.
-
On the Configure Claim Rule step, enter Censys Attributes as the Claim rule name.
Select Active Directory from the Attribute store list.
In the mapping table, map the LDAP Attribute Given-Name to the Outgoing Claim type FirstName. Map the LDAP Attribute Surname to Outgoing Claim type LastName. Click Finish.
-
Back again in the Edit Claim Rules for Censys window, on the Issuance Transform Rules tab, click Add Rule.
-
On the Select Rule Template step, from the Claim rule template list, select Transform an Incoming Claim and click Next.
-
On the Configure Claim Rule step:
-
Type NameID as the Claim rule name.
-
Select UPN as the Incoming claim type.
-
Select Name ID as the Outgoing claim type.
-
Type Persistent Identifier as the Outgoing name ID format.
-
Select Pass through all claim values.
-
Click Finish.
-
-
Back on the Edit Claim Rules for Censys window, click OK.
-
Configure the ADFS server to decrypt Censys authentication requests with the correct signature.
-
In the Censys web app, navigate to the authentication configuration page by opening the user list in the top right and selecting My Account. On the account page, click the Team tab and select Authentication from the menu.
-
In the SP Details section, copy the Authentication Request Signing Certificate.
-
Create a new file on the ADFS server and paste the contents of the certificate in it. Name the file censys.cer.
-
Back on the ADFS server, in left side of the AD FS window, expand Trust Relationships and click Relying Party Trusts. Double-click the Censys relying party trust to edit it.
-
Select the Signature tab and click Add. Select the censys.cer file just created and click OK.
-
Comments
0 comments
Please sign in to leave a comment.