Active Directory Federation Services (AD FS)

You can configure Fortra VM for single sign-on (SSO) using Active Directory Federation Services (AD FS) by doing the following:

  1. Export your AD FS server token-signing certificate and send it to Fortra Technical Support.
  2. Add a relying party trust for Fortra VM to your AD FS server.
  3. Add claim rules to the relying party trust to establish email address as the primary identifier.

Cache Export AD FS Server Token-Signing Certificate

To export your token-signing certificate from your AD FS server to give to Fortra Technical Support, do the following:

  1. Open the Server Manager on your Windows server.
    1. Open Control Panel.
    2. Select System and Security > Administrative Tools.
    3. Double-click Server Manager.

  2. On the Server Manager dashboard, select Tools > AD FS Management.

  3. In the left pane, select AD FS > Service > Certificates.

  4. Right-click Token signing, and then select View Certificate.

  5. In the Certificate dialog, select the Details tab, and then select Copy to File.

  6. In the Welcome to the Certificate Export Wizard window, select Next.

  7. For Export File Format, select Base-64 encoded X509 (.CER).

  8. Select Next.

  9. For File to Export, select Browse.

  10. On the Save As dialog, name the file Certificate and then save it to your desktop.

  11. Back on the Save As dialog, verify the File name of the certificate, select Next, and then Finish. A dialog will appear, verifying the export was successful.

  12. Send your exported certificate to Fortra Technical Support.

Cache Add Relying Party Trust to AD FS Server

To add a relying party trust for Fortra VM to your AD FS server, do the following:

  1. Return to the Server Manager dashboard, and then select Tools > AD FS Management.

  2. In the left pane, select AD FS > Authentication Policies.

  3. Under Primary Authentication, select Edit for Authentication Methods.

  4. Under the Edit Global Authentication Policy dialog's Primary tab, select theForms Authentication checkbox for Extranet and Intranet.

  5. In the left pane, select AD FS > Trust Relationships.

  6. Right-click Relying Party Trusts, and then select Add Relying Party Trust.

  7. In the Add Relying Party Trust Wizard, select Start.

  8. On the Select Data Source step, do the following:

  9. In the Add Relying Party Trust Wizard, select Start.
  10. On the Select Data Source step, perform the following:
    1. Select Import data about the relying party published online or on a local network.
    2. Enter the following in the Federation metadata address (host name or URL): box:

      https://<your-company-name>.frontline.cloud/saml2/metadata

    3. Select Next through the rest of the steps.

    4. Select Close on the Finish step. A relying party trust for Fortra VM is added to your AD FS server.

Cache Add Claim Rules to Relying Party Trust for Email Address Identifier

The following instructions describe how to add claim rules to the relying party trust you created to establish email address as the primary identifier.

NOTE: If you just finished creating the trust, you should see the Edit Claim Rules dialog box and can proceed to step 4 (Edit Claim Rules) of the following instructions.
  1. Return to the Server Manager dashboard, and then select Tools > AD FS Management.
  2. In the left pane, select AD FS > Trust Relationships > Relying Party Trusts.

  3. Right-click the trust you created (https://<your-company-name>.frontline.cloud), and then select Edit Claim Rules.

  4. In the Edit Claim Rules dialog, select Add Rule to configure your first rule. The Add Transform Claim Rule Wizard opens.

  5. For the Choose Rule Type step, select Send LDAP Attributes as Claims as the template (should be the default choice).

  6. Select Next.

  7. For the Configure Claim Rule step, do the following:

    1. In the Claim rule name box, enter Email Address.
    2. From the Attribute store list, select Active Directory.

    3. From the LDAP Attribute list, select E-Mail-Addresses.

    4. From the Outgoing Claim Type list, select E-Mail Address.

      NOTE: For the LDAP Attribute and Outgoing Claim Type lists, select the down arrow icon three times to display the list of options.

    5. Click Finish. Your first claim rule is created.

  8. Back on the Edit Claim Rules dialog, select Add Rule to configure your second rule. The Add Transform Claim Rule Wizard opens.

  9. For the Choose Rule Type step, select Transform an Incoming Claim as the template.

  10. Select Next.

  11. For the Configure Claim Rule step, do the following:

    1. In the Claim rule name box, enter NameID box.
    2. From the Incoming claim type list, select E-Mail Address.
    3. From the Outgoing claim type list, select Name ID.
    4. From the Outgoing name ID format list, select Email.
    5. Select Pass through all claim values.

    6. Select Finish to create your second claim rule.

Once you have completed these steps, AD FS should be configured to allow authentication to your company’s assigned Fortra VM sub-domain using Windows credentials.

To verify users can log in to Fortra VM with their AD email address and password, go to <your-company-name>.frontline.cloud and try your Windows credentials.