Search Me

Friday, June 19, 2015

SSO with OpenDNS using ADFS


  1.  Log into your OpenDNS account.  From the Umbrella control panel, click Configuration.


  2.  A panel will open on the left.  Expand System Settings, select Login Security and then click SAML from the Security Type options on the right.
  3.  Choose Other and select Next
  4.  Download the XML Metadata to configure your ADFS servers.  At the time of this document, the XML files were available using this link
  5. Switch over to your ADFS server and configure the relying party trust.
    1.  On your primary ADFS server, open the ADFS console and expand ADFS FS > Trust Relationships.  Right click on Relying Party Trusts and choose Add Relying Party Trust.  This will open the Add Relying Party Trust WizardClick the Start button.
    2.  On the Select Data Source screen, choose Import Data about the relying party from a file.   Browse to the XML file that you downloaded from OpenDNS and click Next.


    3.  Provide a Display Name and add any notes you may wish to save.  These do not matter to the configuration and are for your use only.  Click Next.
    4. The default choice of I do not want to configure multi-factor authentication settings for this relying party trust at this time should be selected.  Click Next.


    5. Choose the default of Permit all users to access this relying party and click next.


    6. You will now be given an option to review the settings for the new RP.  You can review them if you’d like, but most of these settings were automatically created for you when you imported the XML.  Click Next.
    7. Once the RP is created, right click on it and choose Edit Claim Rules.  You can also use the dialog box to open this automatically if it pops up for you after the save is complete.
    8.  Create two Issuance Transform Rules.  The custom rule language is provided for each of the require rules.

      RULE: AD to SAML
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);



      RULE:  Email to Name ID
      c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
    9. Switch back to the OpenDNS page and click next to continue the configuration.
  6. Download the metadata from your ADFS server and upload it to OpenDNS using the browse dialog.  You can retrieve your XML configuration using the following URL

    https://myadfsserver.fqdn/FederationMetadata/2007-06/FederationMetadata.xml
  7.  After uploading the data to OpenDNS, you will be moved to the Validation step.  Enter your email address and test the validation.  If it is successful, continue through the wizard and save your changes.  Once saved, you should have SSO configured.