Microsoft ADFS – Assisted login

  1. User John Doe from Account Partner Orgianization ( navigate to This web application is published using WAP and ADFS from the Resource Partner Organization (
  2. When the user enters his UPN at the login page ( a redirect to the Account Partner Organization ADFS takes place, and the user can authenticate using the local Active Directory.
  3. If the authentication is successful, the user will be redirected back to to the Resource Partner Organization.
  4. ADFS will use Mideye Service Attribute Store (MSAS) and send the request to the Mideye Server.
  5. The pre-listed approver(s) will get a notification in the Mideye+ app stating that John Doe with username want to access resource “Web Server”. The approver can choose to accept or deny the login
  6. John Doe is granted access and a redirect takes place to where the user is granted access.

In the illustration above the Resource Partner Organization ( provides the ADFS-Enabled application which is already integrated as an relaying party on the AD FS Server.

Account Partner Organization(APO) where the partner accounts exists, want access to the ADFS-enabled application located in RPO infrastructure using their own credentials. This can be done by creating a trust between the RPO and APO. The resource organization need to have full control over all logins from the account partner. This can be done by installing Mideye Service Attribute Store (MSAS) which will enable assisted login.

This guide will assume that both the resource partner and the account partner already have a functional ADFS-environment that are reachable from the internet using a proxy. The resource partner must have a Mideye Server running at least release 5.5.4.

Configuration on the Resource Partner Organization

Installing the Mideye ADFS package

Download Mideye ADFS package from Follow the installations instruction here: Microsoft ADFS | (

Configure the Mideye Service Attribute Store

Open ADFS-management console and navigate to “Service” followed by “Claim Descriptions”. Click “Add Claim Description”.

Add the following properties to the new claims:

  • Display name: Is Mideye Authenticated
  • Short Name: mideyeauthenticated
  • Claim identifier:

Click “OK” to save the new claim.

Create a new Claim

Navigate to “Service” followed by “Attribute Stores”. Click “Add Custom Attribute Store”.

Add the following Properties to the new custom attribute store:

  • Display name: Mideye Attribute Store
  • Custom attribute store class name: Mideye.ADFS.AttributeStore.StrongAuthentication, Mideye.ADFS

Click “OK” to save.

Setup a trust to the Account Partner

Navigate to “Claims Provider Trusts” and click “Add Claims Provider Trust” Complete the wizard by importing the Account Partners metadata.

Select the Claim Provider and select “Edit Claim Rules”

Click “Add Rule” and select “Send Claims using a Custom Rule”. Click “Next”.

Select Send Claims using a Custom Rule

Add the following properties:

  • Claim Rule Name: Mideye Assisted Login
  • Custom Rule:
c1:[Type == ""]
&& c2:[Type == ""]
=> issue(store = "Mideye Attribute Store", types = (""), query = "AssistedLogin", param = c1.Value, param = c2.Value, param = "", param = "", param = "");

Click "Finish" followed by "OK".

Where the parameters are as followed:

  • Param1: UserID
  • Param2: ResourceIdentifier
  • Param3: User Display Name
  • Param4: Company Name
  • Param5: MSISDN

Edit the pusblished ADFS-enabled web application

Navigate to “Relaying Party Trusts”. Select the relaying party for the published web applicattion and click “Edit Claim Issuance Policy”. Click “Add Rule”. Select “Pass Through or Filter an incoming Claim” and click “Next”.

In the claim rule name, add Mideye Authenticated and select “Is Mideye Authenticated” as incoming claim type

Type “Mideye authenticated” and select “Is Mideye Authenticated”

Mideye Server Configuration

Login to the Mideye Server Web GUI and navigate to “Configuration” followed by “Assisted login profiles”. Click the “+” in the top right corner. Select “Federation Assisted Login Profile” and click “Create”.

Select Federation Assisted Login Profile and click “create”

Give the profile a friendly name. The resource field must be identical to the name of the Relaying party that is used by the published web application.

To verify the name of the resource, open an elevated powershell prompt and type Get-AdfsRelayingPartyTrust -name “name of relayingparty”. Copy the output from the Name row and paste it into the Resource field on the Mideye Server.

Add the Name of the relaying party trust
Paste it into the Resource field and give the assisted login profile a friendly name. Click “Approver”.

Navigate to the “Approver” tab. Specify a group of users that will have permission to approve a login or add a single user using the UPN. If a group is selected it should be in DN-format.

Add approvers to the profile

Navigate to the “User” tab. Select when to trigger a federated assisted login using UPN, domain or regular expression.

Add a rule to specify when to trigger the assisted login profile. Click “Save”.

Last step is to enable assisted login on the RADIUS-client. Navigate to Configuration followed by RADIUS clients. Edit the RADIUS-client created for ADFS and select the “Assisted Login” tab. Add the federated assisted login profile created in the step above to the “Assisted Login Profile” and click “Save”.

Enable assisted login on the RADIUS-client

Add a relaying party trust from the Account organization

On the account organization, open the ADFS-management portal and navigate to Relaying Party Trusts. Click “Add Relaying Party Trust” and finish the wizard using the metadata from the Resource Partner Organization.


For further support please contact Mideye support,, +46854514750.