Signiant Support

Media Shuttle SAML Authentication with ADFS Print


Media Shuttle administrators can enable SAML authentication to integrate an external identity provider, such as ADFS, for single sign on.

The following details how to configure a ADFS template to integrate and work with Media Shuttle. 

Before you begin, please ensure that the portal is configured to use SAML authentication. Please read  SAML Login Integration FAQ and Media Shuttle SAML Configuration.
 
  1. Define a user for Active Directory. In this example the email address is used as the user logon.
  2. Ensure that there is a Claim Description in the following format (note: the case is very important). http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  3. In the Action menu, select Add Relying Party Trust.


    This opens the Add Relaying Party Trust Wizard to configure the incoming SAML request. These are the basic rules for accepting processing and returning a claim.
  4. The wizard asks for the Data Source. This is the metadata from the relying party (Signiant)
  5. The metadata URL is displayed on the General page at https://manage.mediashuttle.com.

  6. The wizard will pull information from the metadata to populate fields later on in the creation process.
  7. Click Next

  8. Add a Display name, this does not affect the request so you can use a title that allows you easily identify the claim.

  9. Choose the initial amount of access your users will be granted from the relying party (Signiant).


    Review what will be used for Trust, note information such as Consumer Endpoints were pulled from the metadata.
  10. You can now add a Claim. If this information is not correct, click your newly created Trust and select Edit Claim. This will outline how the data is processed. You will need to setup three Rules. When complete, your Claims page should look like this. They must be in a specific order as they are handled in sequence.
  11. Click Add Claim.
  12. For the First Claim select Send Claims Using a Custom Rule.
  13. Use the following text to transform the incoming request into a format that can be understood by ADFS.

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
     => add(store = "_OpaqueIdStore", types = ("https://boardpixel.mediashuttle.com/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);

    NOTE: Replace boardpixel with your own portal prefix.
  14. For the Second Claim select Transform an Incoming Claim. Ensure the Outgoing claim type is set to Name ID and that Outgoing name ID format is set to Transient Identifier. No other changes are required.

  15. The Third Claim is the actual returned information, in which we are only looking for the email address in a certain format. Note the outgoing claim type uses the format specified at the beginning of this document: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Ensure Outgoing Claim Type is E-Mail Address and that the LDAP Attribute is User-Principal-Name.



    ADFS is now configured properly to receive, process, and issue a claim.
  16. Finally, provide Signiant with the metadata for your ADFS. This is listed as the Federation Metadata found under Endpoints. This is an extension of your domain name were your ADFS is located. In the example we were able to pull the XML (metadata file) from the full path https://win2008ad.test2.signiant.com/FederationMetadata/2007-06/FederationMetadata.xml

  17. On https://manage.mediashuttle.com, select General and update the Identity provider metadata configuration.This information is used to allow the servers to communicate and exchange their certificates.
Aritcle 2370222