Authenticating with Active Directory Federation Services

A Media Shuttle portal configured for Single Sign-On access using SAML allows you to authenticate portal members through an external identity provider, such as Microsoft Active Directory Federation Services (AD FS).

To establish a trust relationship between Media Shuttle and AD FS, you must add a claim description, create a relying party trust, and configure claim rules in AD FS Management. You can then add a link to the AD FS metadata in Media Shuttle.

Note: When using AD FS as an identity provider, Media Shuttle is known as the Relying Party and AD FS is known as the Claims Provider.

To learn more about authenticating portal members using external identity providers, see Understanding SAML.

Adding a Claim Description

Follow the instructions in Add a Claim Description.

  • As a Claim identifier, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

Creating a Trust

Follow the instructions in Create a Relying Party Trust.

  • On the Welcome page, select Claims aware.

  • On the Select Data Source page, select Import data about the relying party published online or on a local network and enter your Media Shuttle metadata URL.

    Note: The metadata URL is displayed on the General tab in your Account Administration Console.

  • On the Configure URL page, select Enable support for the SAML 2.0 WebSSO protocol and enter the Relying party SAML 2.0 SSO service URL.

  • On the Choose Access Control Policy page, select the initial amount of access your users will be granted by the relying party (Signiant).

Some settings, such as Consumer Endpoints, are drawn from your Media Shuttle metadata.

Configuring Claim Rules

You must configure three claim rules for accepting, processing and returning a claim. The rules must be added in a specific order as they are handled in sequence.

Accepting Claim

Follow the instructions in Create a Rule to Send Claims Using a Custom Rule.

  • On the Configure Rule page, copy your custom claims rule into the Custom rule text box, making sure you specify the name of your portal.

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
     => add(store = "_OpaqueIdStore", types = ("https://<yourportalURLprefix>.mediashuttle.com/internal/sessionid"), query = " {0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);
    

Processing Claim

Follow the instructions in Create a Rule to Transform an Incoming Claim.

On the Configure Rule page:

  • Set Outgoing claim type to Name ID
  • Set Outgoing name ID format to Transient Identifier.

Returning Claim

Follow the instructions in Create a Rule to Send LDAP Attributes as Claims.

This claim shows the information that will be returned to Media Shuttle.

On the Configure Rule page:

  • Verify that LDAP Attribute is set to User-Principal-Name.
  • Verify that Outgoing Claim Type is set to E-Mail Address.

Adding AD FS Metadata in Media Shuttle

With AD FS configured to receive, process and issue a claim, you can add a link to the AD FS metadata in your Account Administration Console. The XML configuration file is listed in AD FS as Federation Metadata. This is an extension of the domain name where your AD FS is located.

  1. Log into your Account Administration Console.
  2. On the Security page, update the Identity Provider Metadata.