AI Docs

Using Active Directory Federated Services to Authenticate to Certero | v8

3 min read

image-20251116-154751.png

From Certero version 8, there is the ability to use Federated Authentication via Active Directory Federated Services (ADFS). The following sections provide the instructions on how to use ADFS to authenticate to Certero.

Step 1 - Authentication Provider

  1. Within Certero, go to Administrator > Authentication Providers

  2. Click + New

  3. Set the Type to WS-Fed

  4. Set the Name something meaningful e.g. ADFS

  5. Set the Metadata Url to
    https://<adfsserver>/FederationMetadata/2007-06/FederationMetadata.xml
    where <adfsserver> is the FQDN of your ADFS server.

  6. Click Save

N.B. This step assumes that role Active Directory Federates Services has already been installed and a valid ADFS certificate exists (see Appendix A below).

Step 2 - ADFS Configuration

N.B. This step assumes that role Active Directory Federates Services has already been installed and a valid ADFS certificate exists (see Appendix A).

  1. Login to the Active Directory Federated Services Server using an Administrator account

  2. Open AD  FS Management under Administrative Tools > AD FS Management

  3. Select Add Relying Party Trust... in the right hand pane

  4. Select Claims aware and click Start

  5. Select Enter data about the relying party manually and click Next

  6. Enter a friendly name under Display name , e.g. Certero, and add Notes if required

  7. Click Next on the Configure Certificate Section

  8. In the Configure URL section tick the box Enable support for the WS-Federation Passive Protocol

  9. Enter the URL copied in Step 1 into the Relying party WS-Federation Passive Protocol URL e.g. https://<CerteroServerFQDN>/CerteroWebApp/signin-wsfed and Click Next

  10. Configure Identifiers , in the “Relying party trust identifier” enter
    e.g. https://<CerteroServerFQDN>/CerteroWebApp/Account/LogonFederated and click Next

  11. Choose Access Control Policy - Permit Everyone, Click Next

  12. In Ready to Add Trust, Click Next.

  13. Tick the box Configure claims issuance policy for this application and click Close

  14. Click Add Rule. Select Send LDAP Attributes as Claims in the drop down list and click Next

  15. In the Claim rule name box type Send UPN as N ame

  16. Select Active Directory as the Attribute store and map the User-Principal Name to the Name and click Finish

Step 3 - Test the ADFS Configuration

  1. Go to Certero login page and click Choose a different authentication method .

  2. Click the ADFS icon

  3. Click the Sign in with ADFS button .

  4. Providing both Step 1 and Step 2 have been completed successfully, you will be directed to the ADSF sign in page on your ADFS server. E.G.

  5. Enter your username and password. The username can be in either domain\username or username@domain.com format. Click Sign in. You will now be logged into Certero via ADFS authentication.

Appendix A - ADFS Certificate

  1. ADFS requires a valid digital certificate.

  2. The Subject should match the ADFS server FQDN.

  3. Enhanced Key Usage = Server Authentication

  4. The Certificate Subject Alternative Name should have certauth.<server FQDN>

Here is an example showing the Subject Alternative Name for an ADFS server called adfs.training.certero.local