# Importing Service Provider metadata into the Identity Provider To Import the Service Provider metadata, follow these steps: On the Identity Provider Server (Server hosting your domain’s ADFS Server): 1. Open the **Microsoft Management Centre** (MMC) 2. Add the AD FS Management snap-in. 3. Click **File > Add/Remove Snap-in** . 4. Select **AD FS Management** from the list. 5. Click **OK**. 6. Expand the AD FS tree in the new snap-in. 7. Select **Relying Party Trusts**. 8. Right click the folder and select **Add Relying Party Trust**. The Add Relying Party Trust wizard will open. 9. Click **Start**. 10. Select the **Import data about the relying party from a file** option. 11. Click **Browse**. 12. Select the text file with the metadata you saved earlier. 13. Click **Next** 14. Enter a **Display Name** for the party trust. 15. Click **Next** 16. Select the **I Do not want to configure multi-factor authentication settings for this relying party trust at this time** option. 17. Click **Next**. 18. Select **Permit all users to access this relying party** option. 19. Click **Next**, and **Next** again on the **Ready to Add Trust** screen. 20. Click Finish ### Claim Rules Once you have completed the **Add Relying Party Trust Wizard** you will need to configure the rules for the relying party. To configure this: 1. Right Click on the **Relying Party Trust** you just created. 2. Select **Edit Claim Rules**. 3. Click **Add Rule**. The **Add Transform Claim Rule Wizard** will open. 4. Select **Send LDAP Attributes as Claims** as the Claim Rule Template. 5. Click **Next**. 6. Enter a relevant **Claim Rule Name** for the rule. 7. Select **Active Directory** under **Attribute Store** drop-down field. 8. Map the **LDAP Attributes** to **Outgoing Claim Values**. 9. Click **OK**, **Apply** and **OK** to complete the rule. 10. Right click on the Relying Party trust from the MMC snap-in and select **Properties**. 11. Select the Identifiers tab. 12. In the **Relying Party Identifier** field, enter/paste the Service Identifier string extracted from the ASM Service Provider Record. 13. Click **Add**. 14. Click **Advanced** tab. 15. Set the **Secure Hash Algorithm** to **SHA-1** or **SHA-256**; whichever is selected in the Identity Provider details. 16. Click OK ### Note on Claim Rules The Single Sign On Connector does not read the LDAP Attributes directly, instead it reads the attributes received in the Inbound SAML Assertion. **Name ID** is a special SAML Assertion attribute which represents the User Name. The Single Sign On Connector currently ships with mappings for User Name, First Name, Surname and Email Address by default. It is recommended that the Identity Provider Claims be configured for these ASM Single Sign On connector mappings In ADFS, some special cases of the Inbound Claims are translated to similar looking Display Names. However, if you select the names using the drop-down then the actual Outbound Claim appears in the URL formal, which can cause confusion, the Single Sign On Connector therefore translates this back to a value that more closely resembles the display name: Connector receives Email Address and not ``` http://schemas.xmlsoap.org/claims/EmailAddress ```
SAMLADFS LDAP Attribute DisplayADFS Outbound Claim Display *ADFS Outbound Claim ActualConverted ToASM ICNF
Name IDName IDName IDName IDUser NameUser Name
First NameGiven-NameGiven Namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameFirst NameFirst Name
SurnameSurnameSurnamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameSurnameSurname
Email AddressE-Mail-AddressesE-Mail Addresshttp://schemas.xmlsoap.org/claims/EmailAddressEmail AddressEmail Address
First NameGiven-NameFirst NameFirst NameFirst Name
**\*ADFS Outbound Claim Display is free text** {% hint style="warning" %} For Azure, you must use the connector and set the matching rules to ensure that users do not have multiple usernames. This is configurable in the Premium version. {% endhint %} ### Person Import and Resource Mapping The Single Sign-On Connector, in the same way as other ASM Directory Services connectors, can allow Person Records to be imported directly into ASM from the Identity Provider. The Person Records in ASM will then be kept up to date. {% hint style="danger" %} In order to use the Single Sign-On Connector an Integration Resource Mapping needs to be configured. {% endhint %} #### Recommended Field Mappings for Single Sign-On Connector Person Import | ASM | Connector Mapping | Identity Provider | | ------------------- | ----------------- | ------------------------------------------------- | | First Name | First Name | First Name | | Surname | Surname | Surname | | User Qualified Name | User Name | User Name | | NT Account Name | User Name | User Name *(must be same as User Qualified Name)* | | Login ID | User Name | User Name *(must be unique)* | | NT Domain Name | *Must be blank* | *Must be blank* | All of the SAML based Identity Providers can be configured to send a variety of attributes with the SAML Security assertions, however it may not always be easily configurable through the respective user interfaces. For example the Active Directory Manager attribute is not exposed through the Microsoft ADFS User Interface. Once the attributes have all been exposed by the Identity Provider the ASM Integration Platform and SSO Connector can easily consume these attributes and import/update Person Records as per other LDAP Connectors, however as this is time consuming and/or requires specific skills to configure the Identity Provider Claims then it may be a consideration to pre populate Users and Analysts using another method such as directly synchronising to an Active Directory Source, bulk import using a CSV file and the CSV Connector or by manual population initially. It is also possible to configure SSO for a brand new system as long as the Username is mapped as above, however the accounts will only be created upon the initial login to ASM, therefore it is again recommended to pre populate the ASM System with Users and Analysts using another method such as directly synchronising to an Active Directory Source, bulk import using a CSV file and the CSV Connector or by manual population in order to have a useable system. Once the Users and Analysts have been pre populated you can then use Resource Matching rules to match to and update the seeded database records with the Identify Provider using the SSO Connector.