Integrate with AD FS

You can configure Fortra VM for single sign-on (SSO) using Active Directory Federation Services (AD FS) by performing the following (see below for detailed instructions):

  1. Export your AD FS server token-signing certificate and send it to Fortra by FortraTechnical Support.
  2. Add a relying party trust for Fortra VM to your AD FS server.
  3. Add claim rules to the relying party trust to establish email address as the primary identifier.

Cache Export AD FS Server Token-Signing Certificate

The following instructions describe how to export your token-signing certificate from your AD FS server to give to Fortra Technical Support.

  1. Open the Server Manager on your Windows server.
    • Open Control Panel and select System and Security > Administrative Tools.
    • Double-click Server Manager.
  2. On the Server Manager dashboard, select Tools > AD FS Management.

  3. In the left pane, navigate to AD FS > Service > Certificates.

  4. Right-click Token signing and select View Certificate...

  5. In the Certificate dialog, go to the Details tab and select Copy to File...

  6. In the Welcome to the Certificate Export Wizard, click Next.
  7. For Export File Format, select Base-64 encoded X509 (.CER), then click Next.

  8. For File to Export, click Browse… to open the Save As dialog box.
  9. Name the file Certificate and save it to your desktop.

  10. Back in the dialog box, verify the File name: of the certificate and click Next, then Finish. You should see a successful export dialog box appear.

  11. Send your exported certificate to Technical Support.

Cache Add Relying Party Trust to AD FS Server

The following instructions describe how to add a relying party trust for Fortra VM to your AD FS server.

  1. Return to the Server Manager dashboard and select Tools > AD FS Management.
  2. In the left pane, navigate to AD FS > Authentication Policies.

  3. Under Primary Authentication, select Edit for Authentication Methods.
  4. In the Edit Global Authentication Policy dialog Primary tab, make sure Forms Authentication is checked for Extranet and Intranet.

  5. In the left pane, navigate to AD FS > Trust Relationships.
  6. Right-click Relying Party Trusts and select Add Relying Party Trust...

  7. In the Add Relying Party Trust Wizard, click Start.

  8. On the Select Data Source step, perform the following:

    1. Select Import data about the relying party published online or on a local network.
    2. Enter the following in the Federation metadata address (host name or URL): field:

      https://<your-company-name>.frontline.cloud/saml2/metadata

    3. Click Next through the rest of the steps.
    4. Click Close on the Finish step. A relying party trust for Fortra VM is added to your AD FS server.

Cache Add Claim Rules to Relying Party Trust for Email Address Identifier

The following instructions describe how to add claim rules to the relying party trust you created to establish email address as the primary identifier.

NOTE: If you just finished creating the trust, you should see the Edit Claim Rules dialog box and can proceed to step 4 (Edit Claim Rules) of the following instructions.
  1. Return to the Server Manager dashboard and select Tools > AD FS Management.
  2. In the left pane, navigate to AD FS > Trust Relationships > Relying Party Trusts.
  3. Right-click the trust you created (https://<your-company-name>.frontline.cloud) and select Edit Claim Rules.

  4. In the Edit Claim Rules dialog, select Add Rule... to configure your first rule. The Add Transform Claim Rule Wizard appears.

  5. For the Choose Rule Type step, select Send LDAP Attributes as Claims as the template (should be the default choice) and click Next.
  6. For the Configure Claim Rule step, perform the following steps:

    • Type Email Address in the Claim rule name: field.
    • Choose Active Directory from the Attribute store: drop-down.
    • Choose E-Mail-Addresses from the LDAP Attribute drop-down.
    • Choose E-Mail Address from the Outgoing Claim Type drop-down.
      • NOTE: For the LDAP Attribute and Outgoing Claim Type drop-downs, click the down arrow three times to display the list of options.
    • Click Finish. Your first claim rule is created.
  7. Back in the Edit Claim Rules dialog, select Add Rule... to configure your second rule.
  8. The Add Transform Claim Rule Wizard appears.
  9. For the Choose Rule Type step, select Transform an Incoming Claim as the template and click Next.

  10. For the Configure Claim Rule step, perform the following steps:

    • Type NameID in the Claim rule name: field.
    • Choose E-Mail Address from the Incoming claim type: drop-down.
    • Choose Name ID from the Outgoing claim type: drop-down.
    • Choose Email from the Outgoing name ID format: drop-down.
    • Select Pass through all claim values.
    • Click Finish. Your second claim rule is created.

Once you have completed these steps, AD FS should be configured to allow authentication to your company’s assigned Fortra VM sub-domain using Windows credentials.

To verify users can log in to Fortra VM with their AD email address and password, go to <your-company-name>.frontline.cloud and try your Windows credentials.