AD FS Federation

Integration guide

This page sets out how to integrate the Case Review Portal with the self-service or hybrid model with single sign-on.

AD FS Federation

To set up AD FS Federation to manage access to the Case Review Portal, follow these steps:

Prerequisites

Your implementation manager provides you the following:

PrerequisiteDescription
Service provider entity IDurn:amazon:cognito:sp:<UserPoolID>
SAML endpointhttps://<cognitoUrl>/saml2/idpresponse

After you have successfully set up the federation with AD FS, you must send us your Federation Metadata XML file.

Make sure your organization has set up relevant user management security groups.

1. Create new relying party

Note
The user interface may vary depending on your version of AD FS.

1.1 Add new relying party trust

To create a new relying party, in the AD FS management console, right click AD FS > Trust relationships > Relying party trust > Add relying party trust.

1.2 Configure

Select Enter data about the relying party manually:

1.3 Use default settings

For the following steps, use the default values shown:

1.4 Configure identifiers

Set the relying party trust identifier to the service provider entity ID provided by Fourthline, formatted as follows: urn:amazon:cognito:sp:<UserPoolID>

1.5 Configure multi-factor authentication

Configure multi-factor authentication in line with your organization's security policies (not required to successfully set up federation).

1.6 Use default settings

In most cases, select Permit all users to access this relying party because portal access is determined using role-based access control (RBAC).

You can further limit access later by specifying authorization rules in Actions > Edit claim rules.

No changes in the following step:

Complete the wizard:

2. Configure claims mapping

Map all SAML claims you need to send to the relying party as follows:

2.1 Configure Name ID mapping rules

The Name ID claim is the unique identifier to match the user identity principle from the federated Identity Provider (IdP), in this case AD FS, to the shadow account in our system.

To add this claim:

  1. Add a rule to map an attribute from the Attribute Store (usually Active Directory) to a claim.
  2. Map the claim from the previous step to an outgoing Name ID claim.
  3. In the relying party, select Edit claim rules > Add rule with the template > Send LDAP attributes as claims.
  4. Create a new Email claim rule to map the email address from the attribute store to the outgoing Email address claim:

Note
The attribute store or LDAP Attribute shown may differ from your organization's.

  1. Using the Transform an incoming claim template, create a second claim rule to transform the Email Address to an outgoing Name ID claim:

2.2 Configure RBAC mapping rules

To map the security groups to the RBAC claims, follow these steps:

  1. Create a separate rule for each security group your organization uses to manage user roles.
  2. On the Relying Party, select Edit claim rules > Add rule, and use the Send group membership template as a claim.
  3. Create a new Send Fourthline analyst portal user group rule claim rule that maps the User's group value to the Outgoing claim type:

Important
The Outgoing claim type must exactly match 1 of the valid roles expected by the portal or the roles aren't recognized.

3. Set the SAML endpoint

Configure the SAML endpoint provided by Fourthline for the relying party in the following format: https://<cognitoUrl>/saml2/idpresponse

On the Relying party > Endpoints tab, configure the following settings:

SettingDescription
Endpoint typeSet to SAML Assertion Consumer.
BindingSet to POST.
Trusted URLSet to https://<cognitoUrl>/saml2/idpresponse.


Success
You have set up AD FS federation!

Top of page