Using Active Directory for tagVUE AV
So, you’ve decided to allow users from your organization to access tagVUE services on the cloud without setting them up individually. Enterprise version of tagVUE services allow integration with on-premise identities from ADFS and get the uniform single sign on experience.
There are a number of things that need to be setup on ADFS to establish relationship between identity provider, claims and tagVUE services.
Collect Metadata URL
To get your metadata URL, open Server Manager or Azure AD VM (or on-premises AD machine) > and from “Tools” option > select “ADFS Management” option. This step will bring up the “ADFS Management” window. Then expand the “Service” tab in the left hand panel and select “Endpoint” option. All endpoints available on ADFS will be displayed. Scroll to the bottom and you can locate the metadata URL. The metadata URL might look like /FederationMetadata/2007-06/FederationMetadata.xml. This is only a part of the metadata URL. The full metadata URL would be your DNS name + this URL.
You should be able to put the whole URL on browser to check if it loads correctly. It should be something like https://<domain.com>/FederationMetadata/2007-06/FederationMetadata.xml
Note – If your organization uses Self-Signed Certificates, you might face certificate errors like “There is problem with this websites security certificate”. There’s nothing to worry here. Just click on “Continue to this website (not recommended).” Option to continue.
Add tagVUE application as Relying party trust
Open Server Manager > Tools > ADFS Management. Expand “Trust Relationships” from left hand panel and select “Relying Party trusts” option. You will see that Device Registration Service is already present as a relying party. Now click on the option “Add Relying Party Trust” in the right hand panel. The Add relying party wizard will appear. Click on the Start button to continue. Select the option “Enter data about relying party manually” and click on Next to continue. Choose a name such as “tagVUE Application” and click Next to continue. In the Choose Profile window, select “ADFS Profile” option and click Next to continue.
In the “Configure Certificate” option choose the certificate for encrypting tokens. In the “Configure URL” window, select the checkbox against the option “Enable support for the WS-Federation passive protocol”. The Textbox will get enabled and this is where we need to put our relying party URL or in simple words- tagVUE application federation URL provided. It may look something similar to:
In “Configure Identifiers” we already have the required relying party added, therefore simply click Next to continue. Now select “I do not want to configure multi-factor authentication settings for this relying party trust at this time” and click Next to continue. Select “Permit all users to access this relying party” and click Next to continue.
In the “Ready to add trust” window, click Next to continue. In the “Finish” window, select the checkbox to open the claims rules and click on Close. The Edit claim rules window pops up. At this point, ADFS knows about tagVUE application but there a couple of additional things required. This is where we tell ADFS which claims need to be sent to the relying party and what values will be present in those claims.
Click on the “Add Rule” button.
Select template value as “Send LDAP attributes as claims”. Actually claims will be sent by Active Directory and Active Directory is a LDAP based store, therefore we are selecting this template. Now click on Next to continue. In configure Rule window, provide the name for the rule as Send AD Attributes. Select the attribute store as “Active Directory”. In the mapping table, map the values as shown here:
E-Mail-Addresses -> email
User-Principal-Name -> username
Click on Finish to exit the wizard and then click OK to complete claims rules configuration.
That’s all we need.