This document describes how to install metadata file on the Microsoft Active Directory Federation Services (ADFS).
Cisco recommends that you have knowledge of these topics:
Security Assertion Markup Language (SAML) integration with Security Management Appliance
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Before the Metadata file is installed in the ADFS, ensure that these requirements are addressed:
SAML enabled in the SMA
Verify whether the identity provider used by your organization is supported by Cisco Content Security Management Appliance. These are the supported identity providers:
Microsoft Active Directory Federation Services (ADFS) 2.0
Ping Identity PingFederate 7.2
Cisco Web Security Appliance 9.1
Obtain these certificates that are required to secure the communication between your appliance and the identity provider:
If you want your appliance to sign SAML authentication requests or if you want your identity provider to encrypt SAML assertions, obtain a self-signed certificate or a certificate from a trusted Certificate Authority (CA) and the associated private key.
If you want the identity provider to sign SAML assertions, obtain the identity provider’s certificate. Your appliance uses this certificate to verify the signed SAML assertions
Step 1. Navigate to your SMA and select System Administration > SAML > Download Metadata, as shown in the image.
Step 2. The Identity Provider Profile fills out automatically when the Customer uploads his ADFS Metadata file. Microsoft has a default URL: https://<ADFS-host>/FederationMetadata/2007-06/FederationMetadata.xml.
Step 3. Once both profiles are setup, the SP Profile Metadata must be edited, as per bug CSCvh30183.. Metadata file looks as shown in the image.
Step 4. Remove the highlighted information, at the end Metadata file must be as shown in the image.
Step 5. Navigate to your ADFS and import the edited Metadata file in the ADFS Tools > AD FS Management > Add Relying Party Trust, as shown in the image.
Step 6. After you successfully import the Metadata File, configure the Claim Rules for the newly created Relying Party Trust, select Claim rule template > Send LDAP Attributes, as shown in the image.
Step 7. Name the Claim rule name, and select Attribute Store > Active Directory.
Step 8. Map LDAP Attributes, as shown in the image.
LDAP Attribute > E-Mail-Addresses
Outgoing Claim Type > E-Mail-Address
Step 9. Create a new Custom Claim rule with this information, as shown in the image.
This is the custom rule that needs to be added to the Custom Claim rule: