Knowledge Base

Implement a trust between Enterprise ADFS 3.0 on Windows Server 2012R2

Follow the steps below to implement the trust between enterprise ADFS 3.0 server running on Windows 2012 R2 and Bynder.

You need a working ADFS to perform the task. For more information on ADFS implementation, see cc782250(v=ws.10).aspx.

Configure basic rules

  1. Click to open the Server Manager Dashboard.
  2. Go to Tools > ADFS Management.

  3. Click Add Relying Party Trust... to open a wizard.

  4. Click Start.
  5. In the Select Data Source window, select Import data about the relying party published online or on a local network.
  6. In the Federation metadata address (host name or URL), enter https://[Your-Bynder-URL]/sso/saml/metadata/.
  7. Specify a display name for the trust.

  8. In the Configure Multi-factor Authentication Now window, select I do not want to configure multi-factor authentication settings for this relying party trust at this time.
  9. Select to Permit all users to access this relying party.
  10. Select to open the Edit Claim Rules window.

  11. In the Edit Claim Rules for Bynder window, click Add Rule....
  12. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.

  13. Configure the Get email from AD claim rule to look the following and click Finish.

  14. Add another rule. Now select Transform an Incoming Claim from the Claim rule template drop-down list.
  15. Configure Transform email to NameID rule to look the following and click Finish.

  16. Create the third rule. Now select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
  17. Configure the Send user details rule to look the following.

Results

Your set of rules should look in the following way:

Configure rules to pass Group permissions in ADFS to Bynder

If you want to map group permissions, you need to add two rules to your basic setting.

Add group rules

  1. Click to add a new rule and select Send Claims Using a Custom Rule from the Claim rule template drop-down list.

  2. In the Configure Claim Rule window, enter the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";memberOf;{0}", param = c.Value);

  3. Click to add a new rule and select Send Claims Using a Custom Rule from the Claim rule template drop-down list.

  4. In the Configure Claim Rule window, enter the following rule:

    c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)bynder"] => issue(claim = c);

    In this example, only the groups that start with bynder are sent. You can modify this as you need.

Results

Your setting screen should look in the following way:

Learn more