ADFS Configuration for EIA
- Last UpdatedJul 23, 2024
- 3 minute read
Before configuring the AIM EIA to use ADFS, you must first add a Relying Party Trust relationship for your application to the ADFS instance. For more information, see https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dd807108(v=ws.11)?redirectedfrom=MSDN
The AIM EIA requires the Name claim to identify the user to AIM. To use the Windows account name where Windows authentication is used, you must have a custom claim rule. The following link provides further details on how to create a custom claim rule: https://technet.microsoft.com/en-gb/library/ee913567.aspx
You must first change the service declaration to include an endpoint for users wanting to federate the client identity.
After that, you must configure the client to use that endpoint.
Server
To change the service declaration to include an endpoint for users wanting to federate the client identity:
-
Define the ws2007FederationHttpBinding in system.serviceModel/bindings.
Example:
<ws2007FederationHttpBinding>
<binding transactionFlow="true" maxReceivedMessageSize="1048576" receiveTimeout="00:10:00">
<readerQuotas maxStringContentLength="1048576" maxArrayLength="65532"/>
<security mode="Message">
<message>
<issuerMetadata address="{IssuerMetadataUrl}" />
</message>
</security>
</binding>
</ws2007FederationHttpBinding>Tokens:
IssuerMetadataUrl – The metadata URL for the ADFS server is usually https://adfsserver.<domain>/FederationMetadata/2007-06/FederationMetadata.xml, where the host address of the ADFS server is https://adfsserver.<domain>/.
-
Allocate a protocol to the ws2007FederationHttpBinding in system.serviceModel/protocolMapping.
Example:
<add scheme="http" binding="ws2007FederationHttpBinding" />
-
Allocate an endpoint and URL for each service that uses the ws2007FederationHttpBinding.
Example:
<endpoint address="sessionServiceFed" contract="AVEVA.NET.Services.OPE.Session.ISessionManager" binding="ws2007FederationHttpBinding" behaviorConfiguration="LargeDataSetBehavior" />
-
Configure each EIA service to use a service behaviour that enables the identity configuration to system.serviceModel/behaviors.
Example:
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials useIdentityConfiguration="true">
{ServiceCertificate}
</serviceCredentials>
</behavior>
</serviceBehaviors>Tokens:
ServiceCertificate – This certificate is required to configure the service. For example:
<serviceCertificate findValue="THUMBPRINT" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
-
Configure the identity model.
Example:
<system.identityModel>
<identityConfiguration>
<audienceUris>
{AudienceUris}
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
{TrustedIssuer}
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
<claimsAuthenticationManager type="AVEVA.NET.Claims.AuthenticatonManager, AVEVA.NET.Claims" />
</identityConfiguration>
</system.identityModel>Tokens:
AudienceUrls – The URL is required for the WCF services that are using the identity provider. For example:
<add value="http://localhost:7012/sessionServiceFed" />
<add value="http://localhost:7013/importServiceFed" />
<add value="http://localhost:7014/searchServiceFed" />
<add value="http://localhost:7015/directoryServiceFed" />
<add value="http://localhost:7016/changeServiceFed" />
<add value="http://localhost:7017/ClassLibServiceFed" />
TrustedIssuer – Use the thumbprint for the ADFS server.
Note: You may need to turn on the certificate validation in a live environment.
Client
Now the service has been configured to provide a ws2007FederationHttpBinding bound endpoint.
To change the client to use that endpoint:
-
Configure a ws2007FederationHttpBinding that uses a ws2007HttpBinding for the identity issuer in system.serviceModel/bindings.
Tokens:
-
IssuerUrl – The URL for the ADFS server is usually https://adfsserver.<domain>/adfs/ls, where the host address of the ADFS server is https://adfsserver.<domain>/.
-
IssuerMetadataUrl – The metadata URL for the ADFS server is usually https://adfsserver.<domain>/FederationMetadata/2007-06/FederationMetadata.xml, where the host address of the ADFS server is https://adfsserver.<domain>.
-
-
Change the endpoint for each service to use the ws2007FederationHttpBinding and a certificate reference for the identity.
Example:
<endpoint address="http://localhost:7012/sessionServiceFed" binding="ws2007FederationHttpBinding" contract="OPESessionManager.ISessionManager" name="sessionLAN">
<identity>
{ CertificateReference }
</identity>
</endpoint>Tokens:
CertificateReference – This is the reference to a certificate that can be used to identify the client to the server. For example:
<certificateReference findValue="THUMBPRINT" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
-
Add the following endpoint behaviour for all endpoints if you want to disable certificate validation at system.serviceModel/behaviors. (You may not want this in production.)
Example:
<endpointBehaviors>
<behavior>
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>