Skip to main content
All CollectionsKnowledge BaseEndpoint and SaaS AppsHow To - Endpoint and SaaS Apps
How to install and configure ADFS 3.0 with inSync Cloud
How to install and configure ADFS 3.0 with inSync Cloud
Updated over 8 months ago

Overview

This topic provides information on how to install and configure ADFS 3.0 with inSync Cloud.

Before you begin

  • Register your Windows Server 2012 server as a member server of existing domain.

  • Log on to server as Domain Administrator.

Procedure

To install ADFS 3.0

  1. Start Server Manager.

  2. On the Menu bar, click Manage > Add Roles and Features.
    Add Roles and Features wizard is launched.

  3. On the Before you begin page, click Next.

  4. On the Select installation type page, click Role-based or feature-based installation, and then click Next.

  5. On the Select destination server page, click Select a server from the server pool, and then click Next.

  6. On the Select server roles page, select Active Directory Federation Services, and then click Next.

    ADFS_3.0_01.png
  7. On the Select features page, click Next.

  8. On the Active Directory Federation Services (AD FS) page, click Next.

    ADFS_3.0_02.png
  9. On the Confirm installation settings page, verify the information, and click Install.

    ADFS_3.0_03.png
  10. On the Installation progress page, you can view the installation progress. Verify the installed component, and click Close.

Configure the federation server

To configure the federation server

  1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched.

    ADFS_3.0_04.png
  2. On the Welcome page, select Create the first federation server in a federation server farm, and click Next.

    ADFS_3.0_05.png
  3. On the Connect to Active Directory Domain Services page, specify an account with domain administrator rights for the Active Directory domain that this computer is joined to, and then click Next.

    ADFS_3.0_06.png
  4. On the Specify Service Properties page, enter the following details, and click Next

    • Browse to the location of your SSL certificate and import it.

    • Type a Federation Service Name. This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).

    • Type a Federation Service Display Name.

    ADFS_3.0_07.png
  5. On the Specify Service Account page, select Use an existing domain user account, and click Next.

  6. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and then click Next.

    ADFS_3.0_08.png
  7. On the Review Options page, verify your configuration selections, and then click Next.

    ADFS_3.0_09.png
  8. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure.

  9. On the Results page, review the results, check whether the configuration has completed successfully.

Configure ADFS to integrate with inSync Cloud

After you have installed ADFS 3.0, perform the following actions:

  1. Create trust between inSync Cloud and ADFS by configuring ADFS with a relying party rule, which is inSync Cloud.

  2. Configure inSync Cloud to trust ADFS 3.0. The trust allows ADFS 3.0 to send claims to inSync Cloud.

Create a relying party

After you have set up the Federation Server, the next step is to create a relying party.

To create a relying party

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 window appears.

  2. Expand the Trust Relationships node.

  3. In the right pane, click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.

    ADFS_3.0_11.png
  4. Click Start. The Select Data Source page appears.

  5. Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.

    ADFS_3.0_12.png
  6. Provide the appropriate information for each field, and click Next.

    • Display Name:

      Type a display name for the relying party.

      For example, Druva inSync.

    • Notes:Type a description for the relying party.

    ADFS_3.0_13.png


    The Choose Profile page appears.

  7. Select AD FSprofile and click Next. The Configure Certificate page appears.

    ADFS_3.0_14.png
  8. (Optional) If you want to encrypt the SAML token, browse and select the certificate, and then click Next. However, ADFS establishes a secure SSL connection to Druva inSync, which ensures the token is encrypted. Click Next.

    ADFS_3.0_15.png
  9. The Configure URL page appears.

    • Select the Enable support for the SAML 2.0 WebSSO 2.0 protocol check box.

    • In the Relying party SAML 2.0 SSO service URL box, provide the following URL

      https://cloud.druva.com/wrsaml/consume

      inSyng GovCloud users can provide: https://govcloud.druva.com/wrsaml/consume

    • Click Next. The Configure Identifiers page appears.

    ADFS_3.0_16.png
  10. In the Relying party trust identifier box, type druva-cloud.
    The web application passes this realm to the ADFS when users log into the web restore URL.


    📝 Note
    If you are using inSync Gov Cloud as the relying party, type druva-govcloud.


    ADFS_3.0_17.png
  11. Click Next. The Configure Multifactor AuthenticationNow? page appears. Select I do not want to configure MFA settings for this relying party trust at this time and click Next.


    📝 Note
    If you want to configure Multifactor Authentication, you can do it at a later stage.


    ADFS_3.0_18.png
  12. Click Next. The Choose Issuance Authorization Rules page appears.

  13. Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.

    ADFS_3.0_19.png
  14. Review and if required update the settings that you have configured, and then click Next. The Finish page appears.

    ADFS_3.0_20.png
  15. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box is by default selected.

  16. Click Close.

Create a new claim

To create a new claim

  1. On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.

  2. In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next. The Edit Rule – LDAP EMAIL window appears.

    ADFS_3.0_21.png
  3. Provide the appropriate information for each field.

    • Claim rule name:Type a name for the claim rule.

    • Attribute store:In the list, select Active Directory

    • MAPPING OF LDAP ATTRIBUTES TO OUTGOING CLAIM TYPES

    • LDAP Attribute:Map it to Outgoing claim type.

    • E-mail Addresses:Map it to Name ID.

    • E-mail Addresses:Map it to E-mail Address.

    • User-Principal-Name:Map it to Name.

    ADFS_3.0_22.png
  4. Click Finish.

Create a custom rule

To create a custom rule

  1. On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.

  2. In the Claim rule template list, select Send Claims Using a Custom Rule, and then click Next. The Edit Rule – LDAP EMAIL window appears.

    ADFS_3.0_23.png
  3. Provide the appropriate information for each field.

    • Claim rule name:Type a name for the custom rule.

    • Custom rule:

      Type,

      => issue(Type = "insync_auth_token", Value = "value of SSO Token generated from inSync Console");

    ADFS_3.0_24.png
  4. Click OK.

On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears. To create a new claim

Configure Single sign-on


❗ Important

Only a Druva Cloud administrator can set up Single Sign-on.


Configure Single Sign-on based on the applicable scenarios:

  • New inSync customers (on-boarded after July 14th, 2018), must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.

  • Existing inSync customers who have not configured Single Sign-on until July 14th, 2018, must configure Single Sign-on using the Druva Cloud Platform Console. For more information, see Set up Single sign-on.

  • Existing Phoenix customers with Single Sign-on enabled and have purchased inSync license, must replicate the Phoenix Single Sign-on settings to inSync.

Before you begin

Before you configure the single sign-on settings with inSync Cloud, ensure that you have an ID provider certificate. If you do not have an ID provider certificate, follow these steps:

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 Management window appears.

  2. Expand to the Service folder.

  3. Click Certificates. The Certificates view appears in the right pane.

    ADFS_3.0_25.png
  4. Under the Token-signing area, right-click the certificate. A list with additional options appears.

  5. In the list, click View Certificate. The Certificate window appears.

  6. Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.

    ADFS_3.0_26.png
  7. On the Certificate Export Wizard, click Next. The Export File Format page appears.

  8. Select DER encoded binary X.509 (.CER), and then click Next.

    ADFS_3.0_27.png
  9. On the File to Export page, type the file name as Cert.cer,and then click Next.

  10. Click Finish.

  11. Open and edit the cert.cer file in a Notepad. The certificate opens in the following format:

    “-----BEGIN CERTIFICATE-----

    ………. …..

    -----END CERTIFICATE-----"

  12. Copy the content of the cert.cer certificate and provide it when you configure the single sign-on settings by using the inSync Master Management Console.

Configure the single sign-on settings

Toconfigure the single sign-on settings

  1. On the inSync Master Management Console menu bar, click >Settings.

  2. Click the Single Sign-on tab and then click Edit.

  3. Provide the following appropriate information.

    • ID Provider Login URL:

      Type,

      https://{fqdn-name of the ADFS server}/adfs/ls

    • ID Provider Certificate:Provide the content of the cert.cer certificate. For more information see, Before you begin.

    • AuthnRequests Signed:Select this checkbox, if you want signed SAML Authentication Requests.

      By default, SAML Authentication Requests are not signed.

    • Want Assertions Encrypted:Select this checkbox, if you want to enable encryption for the SAML assertions.

      By default, encryption is disabled.

  4. Click Save.

Did this answer your question?