Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Click the add button on the left and select ADFS



  2. Enter the ADFS metadata URL or upload the xml file as supplied by your IT team.

    1. The metadata URL is typically something like https://YOURDOMAIN/FederationMetadata/2007-06/FederationMetadata.xml and would need to be accessible outside of your network.

  3. Set the user identifier field to match the claim you will be sending as the user identifier. This can be changed later, but needs to have a value to save the page.

  4. Set the display name to match the claim you want to use - if you are only sending one claim, you can set this the same as the user identifier. Again this can be changed later, but needs to have a value to save the page.

  5. Do not set it as default at this time.

  6. Save changes

  7. Go to the relying party tab and make a note of the metadata address displayed there. You will need this when you add OpenAthens to ADFS.
The detail fields displayed are

...

  • Permission set rules so that your users as assigned an appropriate set of resources
  • Attribute mappings so that OpenAthens can make use of data available from your LDAPdirectory
    • OpenAthens will cache these attributes when the user signs in, so changes in ActiveDirectory won't be picked up until the next time the user starts an OpenAthens session.

When you're ready to go live, check both the live and visible boxes and then save. Your new connection should be testable a few seconds later.

...

Certificates - allows you to add a second certificate. Used when you need to change a server certificate on AD and want to minimise downtime for your users.

Advanced - Allows you to make several changes that are rarely necessary:

  • switch between SAML versions should you

...

  • have a source that can only handle the older SAML 1 profile
  • switch the profile from Redirect to Post if your source insists on it
  • enable signing of authentication requests (SHA-1 or SHA-256)

...

  • if your source requires it 
  • enable the SAML forceAuthn option (forces your local source to re-authenticate any time the user is sent there - e.g. where users can have multiple affiliations within a consortium and your SAML source's session management makes it difficult for them to change).

Anything to watch out for?

When you use the refresh metadata button it will update everything in the connection with values from the metadata including endpoints , names and certificates. This will also undo any manual changes you have made on the advanced tab. The metadata URL can be removed to guard against this if you chooseIt won't change the name or any options on the other tabs.

If for any reason you have locked your ADFS system down to use TLS versions earlier than 1.2, we're going to reject the connections and it won't work.

...