Set up Active Directory Federation Services (AD FS) as a third-party SAML identity provider

Before you begin

  1. Select a fully qualified domain name (FQDN) for your AD FS portal. For example,
    https://<federation-service-name>/adfs/ls

    where <federation-service-name> can appear in the format adfs.yourdomain.com

  2. Install and configure AD FS in a Microsoft Windows operating system (2016 version). For more information, see AD FS product documentation.

Active Directory Federation Services (AD FS) is software installed on a Microsoft Windows Server operating system. It provides single sign-on (SSO) and identity management, allowing authorized users to access websites and applications. Complete these steps to set up AD FS as a third-party identity provider.

How to

  1. Add AD FS as a third-party SAML identity provider.
  2. Add Active Directory (AD) to ETP. Make sure you import groups into ETP. For more information, see Add a directory.
  3. Download and deploy an identity connector. For more information, see Create and download an identity connector.
  4. Associate the identity connector with the AD you created. For more information, see Associate an identity connector to a directory
  5. Assign the AD that you created in ETP to the AD FS identity provider. For more information, see Assign AD to AD FS identity provider
  6. Add the URL of the AD FS server to the ETP network configuration. For more information, see Add identity provider domains to an exception list.
  7. Authenticate ETP with AD FS. This process involves these steps:
    1. Configuring Akamai Enterprise identity provider (IdP) as an AD FS endpoint. See Set up relying party trust in AD FS.
    2. Configuring which Active Directory (AD) attributes are sent from AD FS to ETP. The ETP administrator creates claim rules and adds them to the relying party trust. In AD FS, you can create claim rules that use the default claims template to send attributes like the email or username. You can also use custom claims to send group members from AD FS to ETP. See Use claims to send LDAP attributes from AD FS to ETP and Use custom claim description to send group membership from AD FS to ETP.
  8. Upload AD FS metadata to ETP IdP.
  9. Enable signed SAML requests between ETP and AD FS. This is an optional step. It is required only if you want to use signed SAML requests.
  10. Enable encrypted SAML responses between ETP and AD FS. This is an optional step. It is required only if you want to encrypt SAML responses for additional security.