Skip to content

Federated Assisted Login using ADFS domain trust

  1. User John Doe from org.company.com navigate to https://sts.partner.com:8843/Login.aspx. This web application is published using WAP and ADFS from the Resource Partner Organization (org.partner.com)
  2. When the user enters his UPN at the login page (joh.doe@org.company.com) a redirect to the Account Partner Organization ADFS takes place, and the user can authenticate using the local Active Directory.
  3. If the authentication is successful, the user will be redirected back to to the Resource Partner Organization.
  4. ADFS will use Mideye Service Attribute Store (MSAS) and send the request to the Mideye Server.
  5. The pre-listed approver(s) will get a notification in the Mideye+ app stating that John Doe with username john.doe@mideye.com want to access resource “Web Server”. The approver can choose to accept or deny the login
  6. John Doe is granted access and a redirect takes place to https://sts.partner.com:8843 where the user is granted access.

In the illustration above the Resource Partner Organization (org.partner.com) provides the ADFS-Enabled application which is already integrated as an relaying party on the AD FS Server.

Account Partner Organization(APO) where the partner accounts exists, want access to the ADFS-enabled application located in RPO infrastructure using their own credentials. This can be done by creating a trust between the RPO and APO. The resource organization need to have full control over all logins from the account partner. This can be done by installing Mideye Service Attribute Store (MSAS) which will enable assisted login.

This guide will assume that both the resource partner and the account partner already have a functional ADFS-environment that are reachable from the internet using a proxy. The resource partner must have a Mideye Server running at least release 5.5.4.

Configuration on the Resource Partner Organization

Installing the Mideye ADFS package

Download Mideye ADFS package from https://docs.mideye.se/downloads/adfs/. Follow the installations instruction here: Microsoft ADFS | (mideye.com).

Configure the Mideye Service Attribute Store

Open ADFS-management console and navigate to “Service” followed by “Claim Descriptions”. Click “Add Claim Description”.

Add the following properties to the new claims:

  • Display name: Is Mideye Authenticated
  • Short Name: mideyeauthenticated
  • Claim identifier: http://www.mideye.com/2020/10/claims/authenticated

Click “OK” to save the new claim.

Create a new Claim

Navigate to “Service” followed by “Attribute Stores”. Click “Add Custom Attribute Store”.

Add the following Properties to the new custom attribute store:

  • Display name: Mideye Attribute Store
  • Custom attribute store class name: Mideye.ADFS.AttributeStore.StrongAuthentication, Mideye.ADFS

Click “OK” to save.

Setup a trust to the Account Partner

Navigate to “Claims Provider Trusts” and click “Add Claims Provider Trust” Complete the wizard by importing the Account Partners metadata.

Select the Claim Provider and select “Edit Claim Rules”

Click “Add Rule” and select “Send Claims using a Custom Rule”. Click “Next”.

Select Send Claims using a Custom Rule

Add the following properties:

  • Claim Rule Name: Mideye Assisted Login
  • Custom Rule:
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
&& c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"]
=> issue(store = "Mideye Attribute Store", types = ("http://www.mideye.com/2020/10/claims/authenticated"), query = "AssistedLogin", param = c1.Value, param = c2.Value, param = "", param = "", param = "");

Click "Finish" followed by "OK".

Where the parameters are as followed:

  • Param1: UserID
  • Param2: ResourceIdentifier
  • Param3: User Display Name
  • Param4: Company Name
  • Param5: MSISDN

Edit the pusblished ADFS-enabled web application

Navigate to Relaying Party Trusts. Select the relaying party for the published web applicattion and click Edit Claim Issuance Policy. Click Add Rule. Select Pass Through or Filter an incoming Claim and click Next.

In the claim rule name, add Mideye Authenticated and select Is Mideye Authenticated as incoming claim type

Type Mideye authenticated and select Is Mideye Authenticated

Mideye Server Configuration

Login to the Mideye Server Web GUI and navigate to Configuration followed by Assisted login profiles. Click the + in the top right corner. Select Federation Assisted Login Profile and click Create.

Select Federation Assisted Login Profile and click create

Give the profile a friendly name. The resource field must be identical to the name of the Relaying party that is used by the published web application.

To verify the name of the resource, open an elevated powershell prompt and type Get-AdfsRelayingPartyTrust -name “name of relayingparty”. Copy the output from the Name row and paste it into the Resource field on the Mideye Server.

Add the Name of the relaying party trust

Paste it into the Resource field and give the assisted login profile a friendly name. Click Approver.

Navigate to the Approver tab. Specify a group of users that will have permission to approve a login or add a single user using the UPN. If a group is selected it should be in DN-format.

Add approvers to the profile Navigate to the User tab. Select when to trigger a federated assisted login using UPN, domain or regular expression.

Add a rule to specify when to trigger the assisted login profile. Click Save.

Last step is to enable assisted login on the RADIUS-client. Navigate to Configuration followed by RADIUS clients. Edit the RADIUS-client created for ADFS and select the Assisted Login tab. Add the federated assisted login profile created in the step above to the Assisted Login Profile and click Save.

Enable assisted login on the RADIUS-client Add a relaying party trust from the Account organization

On the account organization, open the ADFS-management portal and navigate to Relaying Party Trusts. Click dd Relaying Party Trust and finish the wizard using the metadata from the Resource Partner Organization.