Microsoft ADFS Configuration for SAML 2.0

NOTE: This guide is deprecated and for review only. We no longer set up new SAML based federations. Please refer to the Configuring OIDC with other Identity Providers instructions.

Introduction

This guide provides step-by-step instructions for configuring a basic Identity Federation deployment between Microsoft Active Directory Federation Services (AD FS) and Bentley's Identity Management System (IMS). 

The document is intended for server and active directory administrators with knowledge of ADFS. 

Prerequisites

• This guide assumes that your ADFS is properly setup on a SSL/TLS endpoint using HTTPS and the authentication address is accessible by your corporate users.
• Federation can only be configured for an email domain which is owned by your organization. 

Setup 

Part1 - Register IMS as a Relying Party (RP) in ADFS

1. Open ADFS Management and navigate to Trust Relationships > Relying Party Trusts
2. Click Add Relying Party Trust
3. This will be claims aware, click Start.
4. In the Select Data Source screen, select the last option “Enter data about the relying party manually”. Hit Next.

     5. For the Display Name, supply “Bentley IMS”. Hit Next.

    6. On the Configure Certificate menu, hit Next.

    7. On the next screen, select the “Enable support for the SAML 2.0 WebSSO protocol” and supply the URL: https://ims.bentley.com/sp/ACS.saml2

    8. On the next screen, supply the following URL for the Relying party trust identifier and hit add: https://ims.bentley.com/ 

    

9. On the next screen, you’ll be asked about MFA or restrictions to a certain group. Bentley recommends allowing everyone to use our app. The “Permit Everyone” option is automatically highlighted. Hit Next. 
10. On the "Ready to Add Trust" page, just Next. Then close the next pop up too.

Part 2 - Setup Claims Issuance

If the Edit Claim Rules wizard does not open automatically, access it from the AD FS Management application under AD FS > Trust Relationships > Relying Party Trusts.  Click Edit Claim Rules ... on the right hand side. 

1. On the Edit Claim Rules page, click Add Rule.
2. Select the claim rule template Send LDAP Attributes as Claimsfrom the dropdown and click Next.

3. Select the attribute store Active Directory. Select the following LDAP Attributes and outgoing claims using based on your chosen identifier. The identifier is the value we pull out of the security token to find a user in our directory. If you'd like to use the e-mail, then only provide the email. If you'd like to use the UPN, then please only use the UPN claim as shown below in the two separate screenshots.

E-Mail:

UPN:

Notes:

1. It is required that a user have a valid country code in your directory in order to federate. We use this information to determine proper entitlements, billing, taxes, and more. 
2. The Country attribute is typically stored in the LDAP database under an attribute named “c”, however in your tenant it may be stored elsewhere, so verify the location of the country information for your tenant. If "c" is not in the drop-down list, and that is where your country information is stored, you must manually type “c” into the blank attribute box.  Regardless of where it is stored in LDAP, the outgoing claim should be called “Country”.   
3. If you define “c” as the country attribute, you will also need to define the correct schema for the “c” attribute in the Claim Descriptions as seen below or it could cause the federation to fail:

Schema for above: 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country

This completes the ADFS server configuration portion for Single Sign On with Bentley IMS using the SAML 2.0 Protocol.

Part 3 - Provide your Organization's Federation Metadata URL to Bentley

Your organization's Federation Metadata URL is available in the AD FS Management Console.

Browse to Service > Endpoints > Metadata > Type:Federation Metadata to find your federation metadata URL.