Connect Microsoft ADFS to PE
Connect to Microsoft Active Directory Federation Services (ADFS) on a Windows server, enabling users to log in to PE using their ADFS credentials.
Add PE certificates to the ADFS server
To ensure ADFS trusts the certificates PE uses to sign requests, add the Puppet CA certificates to the Trusted Root CA store on the ADFS server. There can be one or two certificates to import, depending on which version of PE you upgraded from.
On your primary server, retrieve the certificates:
Depending on how many certificates appear, do one of the following:
- One certificate – copy the certificate text and paste it into a
.cerfile on your ADFS server. Then, import the certificate into the Trusted Root Certification Authorities store.
Two certificates – export the certificates with this command:
openssl pkcs12 -export -nokeys -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -out ~/ca.pfx -passout pass
Copy the resulting
ca.pfxfile to your ADFS server, then import it into the Trusted Root Certification Authorities store. The file has no password. The two certificates appear after importing the file.
- One certificate – copy the certificate text and paste it into a
Connect to ADFS in the PE console
Use the PE console to connect ADFS.
- In the console, on the Access control page, click the SSO tab.
- Click Configure.
- Input the configuration information as described in the ADFS configuration reference. Make sure to complete the Organization and Contacts sections.
- Commit changes.
ADFS configuration reference
Configure ADFS in the PE console with these settings and values.
ADFS configuration values
|ADFS configuration value
|Identity provider entity ID
An HTTP or HTTPS URL indicating the ADFS Identifier.
To find your URL, in the ADFS Microsoft Management Console, click Edit Federation Service Properties.Example:
|Identity provider SSO URL
|The ADFS Single Sign On URL.
To find your SSO URL, in the ADFS Microsoft Management Console, navigate to Token Issuance, in the Type column, click the endpoint that specifies SAML 2.0/WS-Federation.. Under
|Identity provider SLO URL
|The ADFS Single Sign On URL with
?wa=wsignout1.0 added to the end.
|Identity provider SLO response URL
|The same as the ADFS SLO URL.
|The ADFS Token Signing certificate.
To get the certificate, run this PowerShell script on your ADFS server:
|Name ID encrypted?
|Sign authentication requests?
|Sign logout response?
|Sign logout requests?
|Require signed messages?
|Require signed assertions?
|Require encrypted assertions?
|Require name ID encrypted?
|Requested authentication context
|Requested authentication context comparison
|Allow duplicated attribute name?
Attribute binding values for ADFS
|Attribute binding value
Add the Relying Party Trust for PE to ADFS
Add PE to ADFS as a Relying Party Trust using a metadata address, allowing ADFS to recognize and communicate with PE as the service provider. Use the PE console to retrieve the metadata URL, then add it to ADFS using the ADFS Management console.
- In the PE console, on the Access Control page, click the SSO tab, click Show configuration information, and copy the SAML Metadata URL.
- In the ADFS Management console, click .
- When the wizard opens, click Start.
- Select Import data about relying party published online or on a local network and enter the SAML Metadata URL, then click Next.
- Enter a Display name for your PE server, taking note of the name to refer to later, then click Next.
- Accept the defaults for the Access Control Policy and click Next.
- On the Ready to Add Trust page, click Next.
- On the Finish page, uncheck Configure claims issuance policy for this application and click Close.
Disable certificate revocation checking
ADFS can't look up the certificate revocation status because certificates from PE don't include CRL information. Use PowerShell to disable certificate revocation checking so ADFS doesn't perform certificate revocation checks on the relying party trust, resulting in trust failures.
In PowerShell, display the names for all relying
Get-AdfsRelyingPartyTrust | ft Name
- Find the trust with the display name you selected for your PE server.
Determine the status of the revocation check for the PE trust:
Get-AdfsRelyingPartyTrust -Name <DISPLAY NAME> | ft EncryptionCertificateRevocationCheck, SigningCertificateRevocationCheck
If the encryption and signing certificate revocation checks show anything other
None, disable checking:
Get-AdfsRelyingPartyTrust -Name <DISPLAY NAME> | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None
Configure the Claim Issuance Policy in ADFS
Add rules to the Claims Issuance Policy so it can send the correct LDAP attribute and user group information to PE.
- In the ADFS Management console, click Relying Party Trusts.
- Select the PE trust you created and click Edit Claim Issuance Policy.
Add a rule to send LDAP attributes as claims:
In the LDAP attribute mapping table, select these options from the drop down:
- Claim rule template: Send LDAP Attributes as Claims
- Claim rule name: LDAP Attributes
- Attribute store: Active Directory LDAP attribute mappings
- SAM-Account-Name: Common Name
- Display-Name: Name
- E-Mail-Addresses: E-mail Address
- SAM-Account-Name: Name ID
Add a rule to send group membership as a claim:
- Claim rule template: Send Group Membership as a Claim
- Claim rule name: Group membership- <GROUP NAME>
- User's group: <DOMAIN NAME>\<GROUP NAME>
- Outgoing claim type: Group
- Outgoing claim value: <GROUP NAME>
- Add additional rules for passing group membership of other ADFS user groups at your organization.
Configure an RBAC group and role in PE
In the PE console, configure RBAC to grant permissions to new ADFS user groups.
- In the console, on the Access control page, click the User groups tab.
In the Login field, enter the name of the ADFS user
group and click Add Group.
Tip: This is the same
<GROUP NAME>you added when configuring group membership rules.
- Click the User roles tab, then click the role you want to add the group to. For example, Viewers.
- Click the Member groups tab and, in the drop-down list, select your ADFS user group.
- Click Add group and commit the change.
- Add additional ADFS user groups at your organization to RBAC roles.
Test your SSO connection
Ensure your connection between PE and ADFS works by logging out and logging back in.
- Log out of PE.
- On the login screen, click Sign in with ADFS.
Log in to PE using your ADFS credentials.
After logging back in, your permissions match what is assigned to your ADFS group.