Knowledge Base

Implement a trust between Enterprise ADFS 3.0 on Windows Server 2012R2

Follow the steps below to implement the trust between enterprise ADFS 3.0 server running on Windows 2012 R2 and Bynder.

You need a working ADFS to perform the task. For more information on ADFS implementation, see cc782250(v=ws.10).aspx.

Configure basic rules

  1. Click Screen Shot 2016-09-28 at 10.51.15.png to open the Server Manager Dashboard.

  2. Go to Tools > ADFS Management.

    Screen Shot 2016-09-28 at 10.40.34.png
  3. Click Add Relying Party Trust... to open a wizard.

    Screen_Shot_2016-09-28_at_10_54_11.png
  4. Click Start.

  5. In the Select Data Source window, select Import data about the relying party published online or on a local network.

  6. In the Federation metadata address (host name or URL), enter https://[Your-Bynder-URL]/sso/saml/metadata/.

  7. Specify a display name for the trust.

    Screen Shot 2016-10-06 at 14.44.06.png
  8. In the Configure Multi-factor Authentication Now window, select I do not want to configure multi-factor authentication settings for this relying party trust at this time.

  9. Select to Permit all users to access this relying party.

  10. Select to open the Edit Claim Rules window.

    Screen Shot 2016-09-28 at 13.19.04.png
  11. In the Edit Claim Rules for Bynder window, click Add Rule....

  12. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.

    Screen Shot 2016-09-28 at 13.23.12.png
  13. Configure the Get email from AD claim rule to look the following and click Finish.

    Screen Shot 2016-09-28 at 13.26.40.png
  14. Add another rule. Now select Transform an Incoming Claim from the Claim rule template drop-down list.

  15. Configure Transform email to NameID rule to look the following and click Finish.

    Screen Shot 2016-09-28 at 13.50.45.png
  16. Create the third rule. Now select Send LDAP Attributes as Claims from the Claim rule template drop-down list.

  17. Configure the Send user details rule to look the following.

    Screen Shot 2016-09-28 at 14.38.36.png

Results

Your set of rules should look in the following way:

Screen_Shot_2016-09-28_at_14_36_01.png

Configure rules to pass Group permissions in ADFS to Bynder

If you want to map group permissions, you need to add two rules to your basic setting.

Add group rules
  1. Click to add a new rule and select Send Claims Using a Custom Rule from the Claim rule template drop-down list.

    Screen Shot 2016-10-06 at 15.42.42.png
  2. In the Configure Claim Rule window, enter the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value);

    Screen Shot 2016-10-06 at 15.42.49.png
  3. Click to add a new rule and select Send Claims Using a Custom Rule from the Claim rule template drop-down list.

    Screen Shot 2016-10-06 at 15.43.00.png
  4. In the Configure Claim Rule window, enter the following rule:

    c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)bynder"] => issue(claim = c);

    Screen Shot 2016-09-28 at 15.04.21.png

    Note

    In this example, only the groups that start with bynder are sent. You can modify this as you need.

Results

Your setting screen should look in the following way:

Screen Shot 2016-10-06 at 15.58.10.png

Learn more