HighQ Hub SSO

ADFS Configuration
HighQ Hub SSO – ADFS Configuation

Index
Index 2

Introduction 3

Install Active Directory Federation Services (AD FS) 3

Microsoft Windows Server 2008 R2 AD FS 3

Microsoft Windows Server 2012 R2 AD FS 3

Microsoft Windows Server 2016 AD FS 3

Configure AD FS for HighQ Hub SSO 4

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 2

HighQ Hub SSO – ADFS Configuation

Introduction
This document will take you through the necessary steps required to configure your Active Directory
Federation Services server to work with HighQ Hub.

If you do not have an AD FS server you will need to follow the Microsoft links provided, which will walk
you through setting up a server in your network.

Install Active Directory Federation

Services (AD FS)
Microsoft Windows Server 2008 R2 AD FS
This is often referred to as AD FS 2.0 due to the install file that was downloaded to setup AD FS for
Microsoft Windows Server 2008. Instructions on how to install AD FS can be found here from
Microsoft:

https://technet.microsoft.com/en-us/library/dd378922(v=ws.10).aspx#BKMK_2

Microsoft Windows Server 2012 R2 AD FS

Known as AD FS Windows Server 2012 R2 in all official Microsoft documentation, can be referred to
colloquially as AD FS 3.0. Instructions on how to install AD FS Windows Server 2012 R2 can be found
here from Microsoft:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-the-ad-fs-role-
service

Microsoft Windows Server 2016 AD FS

Known as AD FS Windows Server 2016 in all official Microsoft documentation. Instructions on how to
install AD FS Windows Server 2016 can be found here from Microsoft:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-the-ad-fs-role-
service

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 3

HighQ Hub SSO – ADFS Configuation

Configure AD FS for HighQ Hub SSO

1. Open AD FS 2.0 Management

2. Expand Trust Relationships > Relying Party Trusts

2.1. Click on Add Replying Party Trust in the Actions pane on the right.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 4

HighQ Hub SSO – ADFS Configuation

2.2. Click Start to continue

2.3. Select first option, “Import data about the relying party…….”

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 5

HighQ Hub SSO – ADFS Configuation

2.4. Enter URL for Federation metadata address:

https://highqhub.com/highqhub/getMetadata.action

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 6

HighQ Hub SSO – ADFS Configuation

2.5. Enter Display name: www.highqhub.com

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 7

HighQ Hub SSO – ADFS Configuation

2.6. On next screen select “Permit all users to access this relying party”.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 8

HighQ Hub SSO – ADFS Configuation

2.7. Click Next.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 9

HighQ Hub SSO – ADFS Configuation

2.8. Click on close.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 10

HighQ Hub SSO – ADFS Configuation

3. Right click on www.highqhub.com and Edit Claim Rules

3.1. Click "Add Rule" button, will get Select Rule Template window.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 11

HighQ Hub SSO – ADFS Configuation

3.2. Select "Send LDAP Attributes as Claims" from "Claim rule template" drop down, and click Next.

3.3. On next screen enter fill out the following:

• Enter rule name in the "Claim rule name:" textbox.

• Select "Active directory" from the "Attribute store:" dropdown.

• Select the value for "Mapping of LDAP attributes to outgoing claim types:"

• Select "E-mail-addresses" from "LDAP Attribute" and enter "mail" in "Outgoing Claim
Type".

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 12

HighQ Hub SSO – ADFS Configuation

• Click Finish and Apply.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 13

HighQ Hub SSO – ADFS Configuation

3.4. Add a second claim rule “Add Rule”

3.5. Select "Send Claims Using a Custom Rule" from "Claim rule template" drop down. and click
Next.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 14

HighQ Hub SSO – ADFS Configuation

• Give the claim rule a name "create Name Transient ID" in "Claim rule name:" textbox.
• Copy and add below code in Custom rule box:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "_OpaqueIdStore", types = ("http://www.highqhub.com/internal/persistentId"), query =
"{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);

Please note that the spacing is very important, you should ensure the text copied
retains the same spacing.

3.6. Click on Finish.

3.7. For third rule, click “Add Rule” button.

3.8. Select "Send Claims Using a

Custom Rule" from "Claim rule
template" drop down. and click
Next.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 15

HighQ Hub SSO – ADFS Configuation

• Give the claim rule a name "Issue Transient Name id" in "Claim rule name:" textbox.
• Copy and add below code in Custom rule box:
c:[Type == "http://www.highqhub.com/internal/persistentId"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer =

c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

Please note that the spacing is very important, you should ensure the text copied
retains the same spacing.

3.9. Click Finish, Apply and Click OK.

© HighQ Solutions Limited 3-Sep-18. Commercial in confidence. 16