Enable SSL
Enable SAML in Kace
Obtain ADFS IdP metadata information from ADFS Manager:
For ADFS 3.0, the URL would be https://< Federation service name> + /FederationMetadata/2007-06/FederationMetadata.xml where < Federation service name> is the one obtained in the previous step.
Back in Kace Configure the IdP Metadata Information
1- Click on ‘Get Metadata from IdP'.
2- Enter the obtained IdP URL in the required field.
3- Paste the newly created URL into the Import from URL field.
4- Click on the “Import IdP Metadata” Button.
Obtain Kace “SP Entity Identifier (Uri)” metadata information.
1. In the “Local Service (SP) Settings” settings click on “View Metadata”.
For this reason, it is better to obtain the XML file from the Kace SP Entity Identifier (Uri).
2. The URL on your browser will take you to the XML which can be saved from there as an XML file.
In ADFS Manager Set up the Relying Party Trust.
3. Right-click the folder and choose Add Relying Party Trust from the menu.
The Add Relying Party Trust Wizard will open.
4. Select Claims aware.
ADFS will send claim information like user attributes and group details to KACE for mapping.
6. Import the SP Entity Identifier (Uri) .xml file on the Relying Party Trust by choosing the option “Import Data about Relying party from a file”.
7. Click Next.
8. Enter your Display Name.
9. Your Display Name needs to be unique within ADFS. (Example: Your tenant name.)
10. Enter any notes.
11. Click Next.
12. Choose Access Control Policy, accept the default, or make a selection.
13. Click Next.
14. Review Settings across the available tabs.
15. Click Next to Finish configuration of the relying party trust.
16. Leave the box checked so you can move on to Edit Claim Rules.
17. Click Next, then Close to finish the wizard.
Edit Claim Issuance: Add Rules
Note: 2 “Transform incoming claims” rules which are required,
1 “Send LDAP attributes as claims” rule with required attributes mapping and,
1 Rule to sync users that are going to have Administrator rights in this example are going to be set.
Once you finish the wizard, you should be returned to the full list of Relying Party Trusts.
1st Rule: UPN to Name ID
1- In the list, right-click your newly created party trust.
2- Select Edit Claim Issuance Policy from the dropdown.
This will open the 'Add Rule' window.
3- Click Add Rule.
4- Select "Transform an Incoming claim".
5- Type the name for the rule, something describing what the rule is doing.
Outgoing Claim: Name ID
Outgoing Name ID format: Persistent Identifier.
Other settings will be left as default.
7- Click Finish.
2ND Rule: Name ID to Name ID
1- In the Edit Claim Issuance Policy window click “Add Rule”.
2- Select "Transform an Incoming claim".
3- Type the name for the rule, something describing what the rule is doing.
4- Set the following values:
Incoming Claim Type: Name ID
Outgoing Claim: Name ID
Outgoing Name ID format: Persistent Identifier.
Other settings will be left as default.
5- Click Finish.
3rd Rule: Send LDAP attributes as claims (SAM-Account-Name, Email, Display Name)
Display-Name Name
4th Rule: Send Group Membership as a Claim
1- In the Edit Claim Issuance Policy window click “Add Rule”.
2- From the Claim rule template dropdown, select Send Group Membership as a Claim.
Use the following information to Configure Claim Rule:
8- Click Finish
Confirm user attribute mappings in Kace
2- Click on the “View Rule Language” button.
3- The mapping values are taken from the following window.
4- Values:
6- Click on the “View Rule Language” button.
7- The mapping values are taken from the following window.
8- Values:
Administrator:
http://schemas.xmlsoap.org/claims/Group = Domain Admins
NOTE: If it’s required to map your roles with other LDAP groups, you need to create more “Send Group Membership as a Claim” rules.
Troubleshooting
You can see what attributes SAML is sending to the SMA if you are using chrome with the SAML Chrome Panel extension. This allows you to go to developer tools (F12) and get a SAML section.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center