Configuring Edge as a Relying Party in ADFS IDP

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

This document describes how to configure the Microsoft Active Directory Federation Services (ADFS) as the identity provider for an Edge organization that has SAML authentication enabled. This example uses Windows 2012 R2 ADFS 3.0 version.

For information on enabling SAML authentication for an Edge organization, see Enabling SAML Authentication for Edge.

Configuring the Relying Party

  1. Open the ADFS Management console.
  2. Expand Trust Relationships in the tree structure. The Relying Party Trusts folder appears.
  3. Right click on Relying Party Trusts and then select Add Relying Party Trust to open the Relying Party Trust Wizard.
  4. Click Start in the wizard to begin.
  5. In the Select Data Source dialog box, use the Import data about the relying party published online or on a local network option to import the metadata URL provided to you by Apigee, and click Next.
  6. Specify the display name, and click Next. By default, ADFS uses “zonename.login.apigee.com” as the display name. You can leave it or change it to “Apigee Edge” as the relying party display name.
  7. In the Configure Multi-factor Authentication Now? dialog box, select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and select Next.
  8. In the Choose Issuance Authorization Rules dialog box, select Permit all users to access this relying party, and click Next.
  9. In the Ready to Add Trust dialog box, review the settings, and then click Next to save your settings.
  10. Click Close to close the wizard. The Edit Claim Rules dialog box should appear, as described in the next section.

Add Claim Rules

The Edit claim rules dialog box should open automatically when you complete the Relying Party Trust Wizard in the previous section. If it does not appear, click Edit Claim Rules in the left panel.

In this section you add two claim rules.

  1. Click Add Rule.
  2. In Choose Rule Type, set Claim rule template as “Send LDAP Attributes as Claims”, and click Next.
  3. Specify the following information:
    • Claim rule name = Email Address
    • Attribute store = Active Directory
    • Outgoing Claim Type = E-Mail Address
  4. Click Finish. The Edit claim rules dialog box appears:
  5. Click Add Rule to add a second claim that transforms the incoming claim.
  6. Select Transform an Incoming Claim as the Claim rule template, and click Next:
  7. Specify the following information:
    • Claim rule name = Incoming Email Claim
    • Incoming Claim Type = E-Mail Address
    • Outgoing claim type = Name ID
    • Outgoing name ID format = Email
  8. Click OK. You should see two claim rules in the Edit claim rules dialog box:
  9. Click OK. The new relying party trust appears in the left navigation tree.
  10. Right-click on the relying party trust and select Properties.
  11. Browse to the Advanced tab. Set the Secure hash algorithm to SHA-256 and then click Apply.

You have completed the configuration.