Configure ADFS (Active Directory Federation Services)
To use ADFS, perform the following:
- Configure Sitefinity CMS.
- Navigate to Administration » Settings » Advanced.
- In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders » ADFS.
- In Metadata Address filed, enter the ADFS Server address, concatenated by /federationmetadata/2007-06/federationmetadata.xml
For example, enter https://<your-ADFS-server.com>/federationmetadata/2007-06/federationmetadata.xml
- In Wtrealm field, enter the identifier of the relying party that is to be configured in the ADFS server.
For example, enter urn:sitefinity
NOTE: In the ADFS configuration, the Wtrealm and the Relying party identifier must be the same.
- Select the Enabled checkbox.
- In Auto assigned roles, enter a comma-separated list of the roles that will be automatically assigned to users, when they register with this provider.
For more information about using auto-assigned roles together with user groups, see Use external authentication providers with user groups.
- Save your changes.
- Configure the ADFS server.
- On the ADFS server machine, open the ADFS Management application.
- Add a new claims-based relying party for Sitefinity CMS.
Enter the relying party data manually.
- Enable support for the WS-Federation Passive protocol.
- Add endpoint for the relying party in the following way:
- Enter the identifier of the relying party.
It must be the same as the Wtrealm field, configured in Step 1.d.
For example, urn:sitefinity.
- Close the Relying Party Trust window.
The Edit Claim rules window appears.
- If the window does not appear, perform the following:
- In the ADFS Management console, navigate to Relying Party Trusts.
- Select the relying party for Sitefinity and click Edit Claims Issuance Policy.
By default the list of claim rules is empty.
- Create a new claim rule of type Send LDAP Attributes as Claims.
- Select Active Directory as attribute store and fill out the following:
- User Principal Name (UPN) to be equal to Name ID (identifier) - this is mandatory and unique identifier used by Sitefinity CMS.
- E-Mail Addresses to be equal to E-Mail Address - this is mandatory and unique identifier.
- Display-Name to be equal to Name – This claim, and other claims, are optional.
RESULT: Next time when the login screen is displayed, it will have a button that you can use to login with ADFS.