Configuring ADFS as an identity provider

Use this task to configure Microsoft active Directory Federation Services as the identity provider to IBM® Security Verify.

Procedure

  1. Obtain the service provider information from IBM Security Verify.
    You need this file when you create the ADFS Relying Party Trust.
    1. Log in to the Verify administration console.
    2. Click Settings > Identity Sources > Add Identity Source.
    3. Download the SAML 2.0 service provider metadata file. Click Download File under Step 2 and save the file for later use.
  2. Locate the metadata export URL for ADFS.
    1. Log in to the ADFS server and open the management console.
    2. In the AD FS folder, expand Services and click Endpoints.
    3. Locate the FederationMetadata.xml file.
      The graphic shows the ADFS endpoints panel.
  3. Use a browser to navigate to that URL on the ADFS server and download the file.
    For example, https://localhost/FederationMetadata/2007-06/FederationMetadata.xml
    Accept any certificate warnings. In most browsers, a file that is called FederationMetadata.xml is downloaded to the default downloads folder. The file is approximately 70 KB on ADFS 3.0 on Windows Server 2012 R2.
  4. Go to the ADFS Management Console.
  5. Start the Relying Party Trust Wizard.
    1. Click Trust Relationships in the AD FS folder.
    2. Click Add Relying Party Trust from the Actions menu.
      This graphic shows the Add Relying Party Trust Wizard.
    3. Click Start.
  6. Import the SAML metadata file that you downloaded from Verify.
    1. On the Select Data Source window, select Import data about the relying party from a file.
      This graphic shows the Select Data Source window of the Add Relying Party Trust Wizard.
    2. Enter the location of the Verify metadata file.
      Use Browse to locate and select the metadata file that you downloaded.
      For example, z:/abcxyz.verify.ibm.com_metadata.xml
    3. Click Next.
  7. Type a descriptive display name for the trust and any additional information.
  8. Click Next.
  9. Do not configure multi-factor authentication (MFA).
    Ensure that the I do not want to configure multi-factor authentication settings for this relying party trust at this time option is selected.
  10. Click Next.
  11. Set up the authorization policy.
    Ensure that Permit all users is selected.
    This graphic shows the Configure Multi-factor Authenticate Now window of the Add Relying Party Trust Wizard.
  12. Click Next.
  13. Click Next.
  14. Leave the default selection for editing claim rules checked and click Close.
    The Edit Claims Rules window opens.