Configure ADFS as a SAML source

Create the SAML 2.0 application in ADFS

  1. In your AD FS directory view, expand the Trust Relationships folder, and click Relying Party Trusts.
  2. Under Actions, click Add Relying Party Trust.
  3. Click Start.
  4. Select Data Source.
    1. Select Enter data about the relying party manually.
    2. Click Next.
  5. Specify Display Name.
    1. Provide the Relying Party Trust with a display name. We recommend Rapid7 InsightVM Console.
    2. Click Next.
  6. Choose Profile.
    1. Select AD FS profile. This option will explicitly list the SAML 2.0 protocol in its description.
    2. Click Next.
  7. In the Configure Certificate section, click Next.
  8. Configure the ACS URL.
    1. Select Enable support for the SAML 2.0 WebSSO protocol.
    2. In the Relying party SAML 2.0 SSO service URL field, paste the template SSO URL that you copied from the Security Console, for example: https://<console-hostname>:<console-port>/saml/SSO
    3. Click Next.
  9. If ACS URL contains hostname/FQDN, you must set a Base Entity URL in the InsightVM Security Console.

Configure Identifiers

  1. In the Relying party trust identifier field, paste the entity ID that you copied from the Security Console, for example http://rapid7.com/nsc/console/…
  2. Click Add, and then click Next.
  3. Do not enable the configure Multi-factor Authentication Now? option, instead click Next.
  4. In the Issuance Authorization Rules section, select Permit all users to access this relying party.
  5. Click Next.

Review Configuration

You can review all your configuration steps at this point in the wizard. After reviewing the configuration and ensuring the Edit Claim Rules option is selected, click Next, Finish, and Close.

Configure Claim Rules in ADFS

You need to create two Claim Rules to properly configure your Relying Party Trust.

After finishing the Relying Party Trust process, the Edit Claim Rules configuration window should display automatically. If it doesn’t display, select (or right-click) your new Relying Party Trust and click Edit Claim Rules.

Configure the LDAP Claims rule

  1. On the Issuance Transform Rules tab, click Add Rule.
  2. Choose the Rule Type.
  3. Select Send LDAP Attributes as Claims.
  4. Click Next.
  5. Configure the Claim Rule and add a name.
  6. Set the Attribute store to Active Directory.
  7. Set the LDAP Attribute to E-Mail-Addresses.
  8. Set the Outgoing Claim Type to E-Mail Address.
  9. Click Finish.

Configure the Email to Name rule

  1. On the Issuance Transform Rules tab, click Add Rule.
  2. Choose the Rule Type.
  3. Select Transform an Incoming Claim, then click Next.
  4. Configure the Claim Rule and add a name.
  5. Set the Incoming claim type to E-Mail Address.
  6. Set the Outgoing claim type to Name ID.
  7. Set the Outgoing name ID format to Email.
  8. Ensure Pass through all claim values is selected.
  9. Click Finish.
  10. Click Apply.

Download and upload SAML metadata

Metadata for Active Directory Federation Services must be downloaded in an XML file from a direct link. Use the following template: https://<adfs-hostname>/FederationMetadata/2007-06/FederationMetadata.xml

  1. Open a new browser window and search the complete metadata link. A successful connection will automatically trigger a metadata XML file download.
  2. In the Security Console, go the Administration page.
  3. In the Console section, click Authentication: 2FA and SSO.
  4. Click Configure SAML Source.
  5. Click Choose File and select the Azure metadata XML file.
  6. Click Save.
  7. Restart the console services.

Create a user in the Security Console

  1. On the Administration page, under User Management, click Add User.
  2. Complete the required User Information fields. The E-mail address field is case sensitive, and must exactly match the existing IdP user account email value.
  3. Select SAML Authorization Method > SAML.
  4. Select the User Role.
  5. Assign Site and Asset Group Permissions.
  6. Click Save.

Authenticate to InsightVM using SAML

  1. Generate an ADFS IDP Login URL using a tool, such as https://jackstromberg.com/adfs-relay-state-generator/
  2. Get the IDP URL string, which will be your ADFS .aspx URL, for example: https://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspx
    1. Open the Windows PowerShell command prompt window on the** AD FS server**.
    2. Select Run as administrator.
    3. Run the following command: Get-ADFSEndpoint
    4. Get the full URL from Protocol SAML 2.0/WS-Federation, then append idpinitiatedsignon.aspx
  3. The Relying Party Identifier is your InsightVM Security Console Entity id URL, for example: http://rapid7.com/nsc/console/…
  4. The Relay State/Target App is your InsightVM Console ACS URL, for example: https://<console-hostname>:<console-port>/saml/SSO
  5. Click Generate URL for a Login URL.
  6. Share the Login URL with your users.