Configuring Microsoft Active Directory Federation Services Integration with SAML

This guide shows you how to configure Active Directory Federation Services (ADFS) and Acunetix Premium+ for Single Sign-On.

ADFS is a software solution developed by Microsoft that can run as a component on Windows Server operating systems. It provides SSO to applications that cross organization boundaries by the secure sharing of entitlement rights and digital identity. ADFS can be configured to authenticate users stored in an LDAP directory (for more information, refer to the Microsoft documentation: Configure ADFS to authenticate users stored in LDAP directories).

NOTE: These instructions were prepared using Windows Server 2016. Nonetheless, other recent versions should also work.

Single Sign-On Fields

This table lists and explains the Single Sign-On fields.

Field

Description

SAML 2.0 Service URL

This is the Consumer URL value (also called the SSO Endpoint or Recipient URL).

Identifier

This is the base URL of Acunetix.

SSO Provider

This is the drop-down to choose your SSO provider.

SAML 2.0 Endpoint

This is the URL from your IdP's SSO Endpoint field.

IdP Identifier

This is the SAML identity provider’s Identifier value.

X.509 Certificate

This is the X.509 certificate value.

How to configure Microsoft ADFS with SAML

There are two parts to this procedure:

  • Part 1: Adding a Relying Party Trust
  • Part 2: Edit the Claim Issuance Policy

How to add a Relying Party Trust

  1. Open Microsoft Active Directory Federation Services Management.
  2. From the ADFS node, select Relying Party Trusts.
  3. In the Actions panel, select Add Relying Party Trust.

  1. In the Welcome step, click Start.

  1. Select Enter data about the relying party manually, and click Next.

  1. In the Display Name field, enter a display name, then click Next. The Configure Certificate step is displayed.
  2. Accept the defaults by selecting Next. The Configure URL step is displayed.

  1. Select Enable support for the SAML 2.0 WebSSO protocol.
  2. Log in to Acunetix and from the menu, select Settings > Users & Access > SSO.
  3. Turn on the Enable SSO toggle.
  4. Select ADFS from the SSO Provider drop-down list.

  1. Copy the URL from the SAML 2.0 Service URL field.Then, in the Microsoft ADFS Wizard, paste the URL into the Relying party SAML 2.0 SSO service URL field
  2. In the Microsoft ADFS Wizard, select Next. The Configure Identifiers step is displayed.
  1. Copy the URL from the Identifier field in Acunetix. Then, in the Microsoft ADFS Wizard, paste the URL into the Relying party trust identifier field.
  2. Select Add, then Next. The Choose Access Control Policy step is displayed.
  3. Select Permit everyone, then click Next. The Ready to Add Trust step is displayed.

  1. Review your settings, and select Next. The Finish step is displayed.

  1. Click Close.

How to edit the Claim Issuance Policy

  1. Open Microsoft Active Directory Federation Services Management.
  2. From the ADFS node, select Relying Party Trusts. The Relying Party Trust you have just created is listed in the Central Panel.
  3. Right-click the relying party trust and choose Edit Claim Issuance Policy. The Edit Claim Issuance Policy dialog box is displayed.

  1. Select Add Rule. The Add Transform Claim Rule wizard is displayed.
  2. From the Claim rule template drop-down, select Send LDAP Attributes as Claims.
  3. Select Next.

  1. In the Claim rule name field, enter a name.
  2. From the Attribute store drop-down, select Active Directory.
  3. In the Mapping of LDAP attributes to outgoing claim types section, select the following attributes from the drop-down lists.

LDAP Attributes

Outgoing Claim Type

E-Mail-Addresses

E-Mail Address

Given-Name

Given Name

Surname

Surname

  1. Click OK.
  2. Select Add Rules.
  3. Select Transform an Incoming Claim as the claim rule template to use. Configure the Transforming an Incoming Claim as shows in the following image:

  1. Click OK.
  2. Download ADFS SAML Metadata from https://<server-address>/FederationMetadata/2007-06/FederationMetadata.xml
  3. Open the downloaded ADFS SAML metadata file, and copy the URL located in the EntityDescriptor node > entityID attribute.
  4. Log in to Acunetix. From the menu select Settings > Users & Access > SSO.
  5. Turn on the Enable SSO toggle.
  6. Select ADFS from the SSO Provider drop-down list.
  7. Paste the URL from step 14 into the  IdP Identifier field.
  8. Copy the URL from the SingleSignOnService node>Location attribute field in the ADFS SAML metadata file.
  9. Paste the URL into the SAML 2.0 Endpoint field in Acunetix.
  10. Copy the content of the X509Certificate node (signing) in the ADFS SAML metadata file.
  11. Paste it into the X.509 Certificate field in Acunetix.

  1. In Acunetix, if you select Require encrypted assertions, do one of the following:
  1. Select Generate a new certificate for me; OR
  2. Select I have an existing certificate, then upload your certificate and enter the certificate password.

  1. From the Acunetix SSO Exemptions drop-down, you can select specific users to exempt them from SSO. Doing this means the selected users can log in to Acunetix via password.
  2. Select Save.

Acunetix informs you that the SSO configuration is saved.


 
« Back to the Acunetix Support Page