Home
Integrity
Control
Solutions

Protect Fortified ID apps

Scenario

This use case describes how you configure ADFS to protect an Fortified ID application. We will use the Fortified ID application Portal as the example application.

We will use Microsoft Active Directory as user store.

Prerequisite

  • Windows server 2019 or later

  • Microsoft Active Directory Make sure you have a test user, Bobby Clarke, created with following LDAP attribute:

    • Bobby Clarke (displayName)

    • bobbyc (sAMAccountName)

    • bobby.clarke@fortifiedid.se (mail)

    • carLicense attribut with values AWS; Zoom; Office 365; Citrix and ServiceNow

  • Microsoft ADFS added as service

  • FortifiedID Portal installed

  • For convenience all product run on the same machine so localhost can be used. If you have several servers you need to change localhost to the server name of the different servers.

Configuration of use case environment

Download and add configuration

Remember that this use case does not describe installation of the products. Products are expected to be installed in advanced.

  1. Download ZIP containing configuration for Portal

    1. Click USE_CASE_LINK to download customer folders for Portal.

  2. Add Integrity Portal configuration to your environment.

    1. Add the customer_Portal folder to you \..\fortifiedid\portal\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.

Update the configuration to map your environment

The downloaded folders contains all information needed. For example, a test certificate and metadata files are included and configured to work with the example applications. However, some data needs to be changed to map your environment. You need to update the LDAP data to map your environment. Since this example was done on a Windows server you might need to update file paths if you run something else. Also the http ports might need to be changed if they are not available in your environment.

To make it easy both application folders have a file called globals.json that contains the data you need to change. Config.json uses the variables in globals.json.

  1. Open globals.json for \..\fortifiedid\portal\config and update:

    1. LDAP data to map you environment

    2. File paths

    3. HTTPS if needed for Portal. It is already configured with a self sign certificate.

  2. When updated go to services and start Start Fortified ID Portal service.

    Verify server.log file that service running without errors.

Important notes for this use case

Fortified ID Portal access ADFS over HTTPS. This means that Portal to use a certificate for both HTTPS traffic and SAML singing. In this use case we have added self signed certificates, if they have expired depending when you run the use case, you might need to update them.

Configuration of ADFS and Fortified ID Portal

ADFS and Fortified ID Portal needs to be individual configured with meta data exchange for example.

Change metadata URL for ADFS in config.json

Metadata for ADFS is read by Portal by ADFS metadata URL.

  1. Open Windows Explorer

  2. Open folder C:\Program Files\FortifiedID\portal\customer\config\

  3. Open file config.json

  4. Go to line 52, see line below "url": "https://ec2amaz-cp7sf2p.company.local/FederationMetadata/2007-06/FederationMetadata.xml"

  5. Change ec2amaz-cp7sf2p.company.local to the server path of your environment. Tips! You can try the path in a browser to verify connection. It should download the XML if successful.

  6. Save and restart the Portal service.

Extract metadata from Fortified ID Portal

We extract the metadata file from Fortified ID Portal to provide for ADFS to trust and find the Fortified ID Portal.

  1. Make sure the Fortified ID Portal service is started

  2. Open Windows Explorer

  3. Open folder: C:\Program Files\FortifiedID\portal\customer\config\resources_internal\saml_sp_metadata

  4. Copy the sp_portal.xml to a folder on your desktop for example. Note. sp_portal is generated and created during startup of Portal service.

Add Fortified ID Portal as a Relying Party Trust in ADFS

  1. Open ADFS tool

  2. Right click Relying Party Trust

  3. Click Add Relying Party Trust...

  4. Click Start

  5. Click Import data about the relying party from a file

  6. Click Browse and select the previous section copied sp_portal.xml file

  7. Click Next

  8. Give the party a name, for example Fortified ID Portal, and click Next

  9. Click Permit everyone and click Next

  10. Click tabs and verify that for example Endpoint tab has data about Portal, click Next

  11. Click Finish

Add Claim Issuance to Portal Relying Party

  1. Open ADFS tool

  2. Click Relying Party Trust

  3. Right click the Fortified ID Portal relying trust you just created and click Edit Claim Issuance Policy...

  4. Click Add Rule...

  8. Click Ok to close

Test Fortified ID Portal with ADFS

Now all configuration is done. It is time to test.

Start services

Verify in services that Fortified ID Portal service and Active Directory Federation Services service are started.

Login to Portal

  1. Open a browser. Tips is to use Google Chrome together with the SAML Tracer extension.

  2. Browse to https://localhost:8443/portal which is the SAML SP.

  3. You should end up to the ADFS login page since ADFS is the SAML IdP.

    1. Login as company\bobbyc (change to your domain name) and password

  4. After successfully logged in you should end up back at Fortified ID Portal

PreviousADFSNextInstall and configure Fortified ID ADFS adapter for Siths eID

Last updated