Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
0
Replies

Configuring external authentication using SAML and ADFS on ESA

msepic
Level 1
Level 1

‎02-03-2023 04:05 AM

Dear all,

We are in process of configuring external authentication using SAML and ADFS on ESA, but are having problems configuring IDP side. User guide for AsyncOS is pretty vague in that part, with sample custom rule returning error (it is obvious why), and Issuance Transform Rule part being unclear on exact LDAP Attribute / Outgoing Claim Type to choose for Email/Group. Is there anyone with working ESA SAML integration with ADFS that can share Issuance Transform Rules information from ADFS?

  • Add a custom rule to include SPNameQualifier in the response. The following is a sample custom rule:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => 
issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer=
c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, 
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", 
Properties ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = 
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

  • Edit the Claim Rule and add an Issuance Transform Rule to send the LDAP attribute for email address as an outgoing claim type (email address). Also ensure that you add an Issuance Transform Rule to send the LDAP attribute for group attribute as an outgoing claim type (unspecified groups).

Best regards

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents