Active Directory Federation Services, AD FS, or ADFS is microsoft’s implementation of authen-tication federation. It is also the same technology used by Office 365 as Azure Active Directory to establish SSO for web applications like EnhanceTV.

The process in setting it up is similar in concept to the process of setting up a Google SAML account. See: other help document name and hyperlink it.

What you are doing is adding a Relying Party Trust for EnhanceTV.

NOTE: It is recommended that this configuration be performed by an experienced Windows Server administrator.

TERMINOLOGYThe terminology used by Microsoft is different to Google’s terminology for setting up SAML SSO, but the operation is conceptually the same. Enhance TV still needs to have the ADFS IdP metadata put into the school’s SSO Setup as described in the previous section, and the ADFS SAML application setup equivalent will still need EnhanceTV’s SP metadata.

Reference: https://docs.pivotal.io/p-identity/1-2/adfs/config-adfs.html#adfs

AUDIENCE

Institution administrators. It is recommended that this configuration be performed by an experienced Windows

Server administrator..

PURPOSE

Setting up EnhanceTV SSO for a whole Institution.

Microsoft AD FS Integration with ETV

Microsoft Terminology Google Terminology

ClaimName ID Format and the attribute mapping on the Google Admin Console

Claim Mapping

EnhanceTV uses the email address, so that needs to be included in the claim attribute mapping. The Name ID Format should be the equivalent to “unspecified”

ADFS SSO INFORMATIONThis article will provide guidance on SAML Integration with EnhanceTV.

It is important to understand that the SAML Integration process is a HTTPS only process and customers must ensure that they possess at least a 2048-Bit RSA Certificate from a reputable Certificate Authority.

Currently EnhanceTV supports Single Sign-On (SSO) integration for most SAML2 Protocol based authentication systems including but not limited to:

• Active Directory Federation Services (ADFS)

NOTE:

• If the implementation of Single Sign On at your institution will lead to a change in the e-mail addresses that users at your institution currently uses for EnhanceTV access, plea-se ensure that this is specified when sending your completed SSO setup information back to EnhanceTV - this is necessary so that EnhanceTV can assess whether users’ existing EnhanceTV material such as Workspace videos, Playlists etc, will need to be migrated during the enabling of SSO for your institution.

• If you are not sure of this, please contact EnhanceTV Support for further guidance prior to commencing the SSO setup.

Find the URL for you institution’s geographic location under the SSO Setup area of your Enhan-ceTV admin account.

For example: https://www.enhancetv.com.au/saml2/25100/metadata where 25100 is the ID of the users’ Institution and dynamically generated by the website.

NOTE: Please ensure that the On-Boarding Document contains your own institution’s metada-ta URL and entity ID, not that of EnhanceTV.

INTEGRATION PROCESS WITH MICROSOFT ADFS 2.0 / 3.0Before you start, please ensure your ADFS ‘Organisation’ information is published with your Federation Metadata.

1. Right-click on the folder in the top left hand pane and select ‘Edit Federation Service Pro-perties

2. Click on the Organization tab

3. Tick the Publish Organization information in federation metadata check box

4. Complete the fields in the Support contact information section. It is mandatory that this section is completed with valid data.

NOTE: Customers running an Active Directory with functional level of 2003 or higher will be able to take advantage of Microsoft’s ADFS 2.0 or 3.0 SSO System for integrating with Enhan-ceTV Online.

INSTALLING ACTIVE DIRECTORY FEDERATION SERVICES (AD FS) ON A WINDOWS 2008 R2 SERVER

Below is a brief walk-through on how the ADFS Service can be installed on a Windows 2008 R2 Server. Support for setting up an AD FS farm is beyond the scope of this help documentation and the procedure below is provided as a courtesy. Seek additional support before attempting this procedure if required.

1. Open Start

2. Click Administrative Tools

3. Click AD FS 2.0 Management or AD FS 3.0 Management

4. Click AD FS Federation Server Configuration Wizard

5. Click the Create a New Federation Service radio button

6. Click the Create New Federation Server Farm radio button

NOTE: Choose the New Federation Server Farm option even if you only plan on deploying one server. If stand-alone federation server is chosen, then you will not be able to add a new server to your AD Network.

7. Click Next

8. The SSL Certificate should be pre-populated. If not please assign your SSL Certificate to the Default Website created in IIS

9. The Federation Service Name should match the SSL certificate name

10. Click Next

11. Enter the AD FS service account name and password

12. Click Next

13. Click Next.

NOTE: If you get an error message “The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.” it indicates that the name of the federation service is already in use. Use setspn.exe to set the proper SPN.

CONFIGURING FEDERATION TRUST WITH ENHANCETVNow that the ADFS Service has been installed you are ready to set up the Relying Party Trust.

1. Select Relying Party Trusts

2. Click Add Relying Party Trust

3. Click Next.

The Add Relying Party Trust wizard will run.

4. Select the Import data about the relying party published online or on a local network radio button

5. In the Federation metadata address field, enter the EnhanceTV SAML Metadata URL. As mentioned at the start of this article, this is obtained from the SSO Setup area of your admin account.

6. Click Next

The Specify Display Name screen displays.

7. You can retain the default Display Name or change it accordingly. This name will display in your list of AD FS services so we recommend that the name is set to EnhanceTV.

8. Click Next

The Choose Issuance Authorization Rules window displays

9. Select Permit all users to access this relying party and click Next

10. Click Next & Finish

11. If you are running AD FS 3.0, it is necessary to ensure that both Forms Authentication and Windows authentication are enabled within the Global Authentication Policy as per the screenshot below:

CREATING CLAIM RULES FOR EXPOSURE OVER SAML ADFS 2.0 / 3.0For successful ADFS Integration with EnhanceTV we require the following attributes exposed:

• Email Address

• Give Name

• Display Name

During the authentication process, the user’s group membership is enumerated and the res-pective group membership that is mapped to EnhanceTV is chosen.

In accordance with the SAML2 protocol the following rule templates must be used when expo-sing the above attributes over ADFS.

There are 2 options for mapping outgoing claim rules to EnhanceTV.

1. Issuance Mapping Option (Easiest)

2. Custom Rules Options (Technical)

OPTION 1: ISSUANCE MAPPING OPTION (EASIEST)

The easiest way to map the outgoing claim rules to EnhanceTV is to provide various custom rules.

We need to set up two sets of rules - Name to Email, and General Attributes.

1. Click Add Rule

2. Set up a Name to Email rule

3. Next set up a General Attributes list

4. Set up all the mappings of LDAP attributes to outgoing claim types as per the screenshots.

NOTE: Your LDAP attributes may differ slightly from the documentation.

OPTION 2: CUSTOM RULES OPTIONS (TECHNICAL)

1. Right-Click on the newly added Relying Party Trust and select Edit Claim Rules

2. Select the Issuance Transform Rules tab and click Add Rule

3. From the Claim Rule Template drop-down, select Send Claims Using a Custom Rule and click Next

4. For each of the above claim rules explained above enter the corresponding Claim Rule name and the Custom Rule as per below:

Claim Rule Name Custom Rule

Email Address

c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]=> issue(store = “Active Directory”, types =(“urn:oid:0.9.2342.19200300.100.1.3”), query = “;mail;{0}”, param = c.Value);

Given Name

c:[Type ==“http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]=> issue(store = “Active Directory”, types = (“urn:oid:2.5.4.42”), query= “;givenName;{0}”, param = c.Value);

Display Name

c:[Type ==“http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]=> issue(store = “Active Directory”, types =(“urn:oid:2.16.840.1.113730.3.1.241”), query = “;displayName;{0}”, param = c.Value);

Member Of

c:[Type ==“http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]=> issue(store = “Active Directory”, types =(“urn:oid:1.2.840.113556.1.2.102”), query = “;memberOf;{0}”, param = c.Value);

Surname

c:[Type ==“http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”]=> issue(store = “Active Directory”, types = (“urn:oid:2.5.4.4”), query= “;SN;{0}”, param = c.Value);

NOTE: These rules will vary depending on your AD FS set up.

5. Once the above attributes have been mapped, add them to the SSO Setup area of the ma-nagement account. Contact EnhanceTV Technical Support with your completed details for support with the integration process.

SAML2 ATTRIBUTES FOR INTEGRATION WITH 3RD PARTY IDP’SDue to the many different IdP Solutions in the market implementing the SAML2 protocol we have compiled a list of the necessary attributes required to be exposed over your respective IdP in order for successful federation with EnhanceTV.

LDAP Attribute SAML2 Attribute

Email Address <Attribute name=”urn:oid:0.9.2342.19200300.100.1.3” id=”email”/>

Given Name <Attribute name=”urn:oid:2.5.4.42” id=”givenName”/>

Display Name <Attribute name=”urn:oid:2.16.840.1.113730.3.1.241” id=”displayName”/>

Member Of <Attribute name=”urn:oid:1.2.840.113556.1.2.102” id=”memberOf”/>

First Name or cn (Common Name) <Attribute name=”urn:oid:2.5.4.3” id=”cn”/>

Sn or Surname <Attribute name=”urn:oid:2.5.4.4” id=”surName”/>

SMART LINK AUTO LOGINTo allow users to auto login from a vanity URL (subdomain of your primary domain), use a smart link http redirect.

1. Within IIS control panel for your server, navigate to HTTP Redirect

2. Create a new redirect

3. In the Redirect requests to this destination field, enter your IDP Initiated Sign On URL (from your AD FS set up) and append:?loginToRP=

Your metadata URL for our SP found in your management account.

For example: https://yourdomain.com.au/?loginToRP=https://www.enhancetv.com.au/saml2/25100/meta-data

This will now auto login a user when navigating to that URL directly or via a bookmark.

These documents are provided as a helpful guide only. Enhance TV is not responsible for the accuracy or completeness of the content within the documents or any issues arising from the application of the instructions provided. Users are advised to seek their own technical assistance from qualified experts.