Active Directory Federation Services (AD FS)

This guide covers the configuration of a Relying Party Trust in AD FS and the corresponding configuration in ResourceXpress. It does not cover the installation or initial configuration of ADFS.

If you intend to restrict access to ResourceXpress to a specific set of users it is recommended you create a relevant Active Directory security group before proceeding with the AD FS configuration.

Download the ResourceXpress MetaData file

Before downloading the Metadata file ensure you are accessing ResourceXpress via a routable URL. Do not download the file if you are browsing the application from its host server using “localhost”.

If your end-users will be accessing ResourceXpress via a public/external URL ensure you generate the file when browsing this URL not the internal FQDN.

Login to ResourceXpress as an application administrator

Navigate to the SSO Settings tab found on the System Settings page, under the Administration Settings menu header, and download the SPMetadata.xml.

Copy the SPMetadata.xml file to the AD FS server

Enable Forms Authentication in AD FS

Open the AD FS Management utility on your AD FS Server

In the left pane, right-click Authentication Methods and select Edit Primary Authentication Methods…

Ensure Forms Authentication is selected

Create a Relying Party Trust in AD FS

Initial Configuration

Open the AD FS Management utility on your AD FS Server

In the left pane, right-click Relying Party Trusts and select Add Relying Party Trust…

On the initial screen select the Claims aware option then click start

On the Select Data Source screen select the option Import data about the relying party from a file then click Browse…

Locate the SP Metadata file downloaded from ResourceXpress and click Next >

Enter a suitable display name e.g. ResourceXpress and add optional Notes regarding the application then click Next >

On the Choose Access Control Policy page select the option Permit specific group then click the <parameter> option in the Policy window

In the pop-up Select Groups window click Add… then browse for and add the security groups that will have access to ResourceXpress

Once added click Next > to proceed to the Ready to Add Trust window and click Next > again to save the configuration. You will see the new configuration in the Relying Party Trusts main window

Configuring Attributes

Right-click the newly created configuration and select Edit Claim Issuance Policy… then click Add Rule… in the pop-up window

In the Choose Rule Type window drop down the option Claim rule template: and select Send LDAP Attributes as Claims then click Next >

Give the rule a suitable name and select Active Directory as the Attribute store:

Required Claims

Outgoing Claim Name

LDAP Attribute

Outgoing Claim Name

LDAP Attribute

email

E-Mail-Address

firstname

Given-Name

lastname

Surname

Optional Claims

In addition to synchronising users' details, it is also possible to retrieve other attributes that can be used to populate Access Code, RFID and other values in the ResourceXpress local user's database.

To configure this you will need to add more Claims, see the table below for optional Claims.

Claim Name

Information

Claim Name

Information

rfid

The RFID value as read by the ResourceXpress system, used for screen authentication.

accesscode

The users Access Code/PIN, used for screen authentication.

defaultlocation

The ID number for the Location that the user will have default access to.

allowedlocation

A comma separated list of Location ID numbers that the user has access to.

dateformat

The date format for the user.

dd,MM,yyyy → (25,01,2021)
MM/dd/yyyy → (01/25/2021)

roles

A comma separated list of Role ID numbers.

The default role ID values are as below

Super Admin → 1
Server Admin → 2
User Admin → 3
User → 4
Messaging → 5
Reporting → 6
Location Admin → 7

Once you have configured the claims click OK and Apply

You have successfully configured AD FS

Configuring ResourceXpress

Obtaining the IDP MetaData file

Once you have configured AD FS for SSO you will need to download the IDP MetaData file for use in ResourceXpress. To obtain this file navigate to the below URL replacing <ADFS-ServerName> with the FQDN of your AD FS server.

https://<ADFS-ServerName>/FederationMetadata/2007-06/FederationMetadata.xml

Download the file to a suitable location.

Application Configuration

Log in to ResourceXpress with a local administrator account and navigate to Administration Settings - System Settings then select the SSO Settings tab

Click Choose file in the IDP Metadata field, browse to the file previously downloaded from AD FS then click Upload

The URL and Authenticating Authority fields will be auto-populated with the required values

Select the options to Auto create user records from SSO and Sync user details from SSO

Click Save

You have successfully configured SSO via AD FS for ResourceXpress. When a new user navigates to the application URL they will be prompted for their SSO credential, after successfully signing in a new local user account will be created with the User role assigned by default.

 

The following macros are not currently supported in the footer:
  • style