- User John Doe from Account Partner Orgianization (mideye.com) navigate to https://dev-sts.mideye.com:8843/Login.aspx. This web application is published using WAP and ADFS from the Resource Partner Organization (dev.mideye.se)
- When the user enters his UPN at the login page (firstname.lastname@example.org) a redirect to the Account Partner Organization ADFS takes place, and the user can authenticate using the local Active Directory.
- If the authentication is successful, the user will be redirected back to to the Resource Partner Organization.
- ADFS will use Mideye Service Attribute Store (MSAS) and send the request to the Mideye Server.
- The pre-listed approver(s) will get a notification in the Mideye+ app stating that John Doe with username email@example.com want to access resource “Web Server”. The approver can choose to accept or deny the login
- John Doe is granted access and a redirect takes place to https://dev-sts.mideye.com:8843 where the user is granted access.
In the illustration above the Resource Partner Organization (dev.mideye.se) provides the ADFS-Enabled application which is already integrated as an relaying party on the AD FS Server.
Account Partner Organization(APO) where the partner accounts exists, want access to the ADFS-enabled application located in RPO infrastructure using their own credentials. This can be done by creating a trust between the RPO and APO. The resource organization need to have full control over all logins from the account partner. This can be done by installing Mideye Service Attribute Store (MSAS) which will enable assisted login.
This guide will assume that both the resource partner and the account partner already have a functional ADFS-environment that are reachable from the internet using a proxy. The resource partner must have a Mideye Server running at least release 5.5.4.
Configuration on the Resource Partner Organization
Installing the Mideye ADFS package
Download Mideye ADFS package from https://downloads.mideye.com. Follow the installations instruction here: Microsoft ADFS | (mideye.com).
Configure the Mideye Service Attribute Store
Open ADFS-management console and navigate to “Service” followed by “Claim Descriptions”. Click “Add Claim Description”.
Add the following properties to the new claims:
- Display name: Is Mideye Authenticated
- Short Name: mideyeauthenticated
- Claim identifier: http://www.mideye.com/2020/10/claims/authenticated
Click “OK” to save the new claim.
Navigate to “Service” followed by “Attribute Stores”. Click “Add Custom Attribute Store”.
Add the following Properties to the new custom attribute store:
- Display name: Mideye Attribute Store
- Custom attribute store class name: Mideye.ADFS.AttributeStore.StrongAuthentication, Mideye.ADFS
Click “OK” to save.
Setup a trust to the Account Partner
Navigate to “Claims Provider Trusts” and click “Add Claims Provider Trust” Complete the wizard by importing the Account Partners metadata.
Select the Claim Provider and select “Edit Claim Rules”
Click “Add Rule” and select “Send Claims using a Custom Rule”. Click “Next”.
Add the following properties:
- Claim Rule Name: Mideye Assisted Login
- Custom Rule:
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"] => issue(store = "Mideye Attribute Store", types = ("http://www.mideye.com/2020/10/claims/authenticated"), query = "AssistedLogin", param = c1.Value, param = c2.Value, param = "", param = "", param = ""); Click "Finish" followed by "OK".
Where the parameters are as followed:
- Param1: UserID
- Param2: ResourceIdentifier
- Param3: User Display Name
- Param4: Company Name
- Param5: MSISDN
Edit the pusblished ADFS-enabled web application
Navigate to “Relaying Party Trusts”. Select the relaying party for the published web applicattion and click “Edit Claim Issuance Policy”. Click “Add Rule”. Select “Pass Through or Filter an incoming Claim” and click “Next”.
In the claim rule name, add Mideye Authenticated and select “Is Mideye Authenticated” as incoming claim type
Mideye Server Configuration
Login to the Mideye Server Web GUI and navigate to “Configuration” followed by “Assisted login profiles”. Click the “+” in the top right corner. Select “Federation Assisted Login Profile” and click “Create”.
Give the profile a friendly name. The resource field must be identical to the name of the Relaying party that is used by the published web application.
To verify the name of the resource, open an elevated powershell prompt and type Get-AdfsRelayingPartyTrust -name “name of relayingparty”. Copy the output from the Name row and paste it into the Resource field on the Mideye Server.
Navigate to the “Approver” tab. Specify a group of users that will have permission to approve a login or add a single user using the UPN. If a group is selected it should be in DN-format.
Navigate to the “User” tab. Select when to trigger a federated assisted login using UPN, domain or regular expression.
Last step is to enable assisted login on the RADIUS-client. Navigate to Configuration followed by RADIUS clients. Edit the RADIUS-client created for ADFS and select the “Assisted Login” tab. Add the federated assisted login profile created in the step above to the “Assisted Login Profile” and click “Save”.
Add a relaying party trust from the Account organization
On the account organization, open the ADFS-management portal and navigate to Relaying Party Trusts. Click “Add Relaying Party Trust” and finish the wizard using the metadata from the Resource Partner Organization.
For further support please contact Mideye support, firstname.lastname@example.org, +46854514750.