Integrating SAML Support with AD FS

This procedure provides specific details about integrating MicroStrategy Web, Library, and Mobile with AD FS. All steps below are performed in AD FS Management Console. Additionally, the following steps assume that SAML is already enabled in the AD FS server.

1. Download the IDP metadata.

   1. In Server Manager, go to Tools > AD FS Management.

      

   2. Go to the Endpoints menu and locate the Federation Metadata entry point. The entry contains a field similar to /FederationMetadata/2007-06/FederationMetadata.xml.

      

   3. In any browser, enter the URL using the format <ADFS Server base URL>/<Metadata entry point> to download the metadata file to the browser's Downloads folder.

      In this example, we navigate to https://cl-desp-adfs.techsecurity.com/FederationMetadata/2007-06/FederationMetadata.xml from the ADFS server machine because ADFS access is restricted to that machine.

   4. Copy the metadata file into your Web application's WEB-INF/classes/resources/SAML folder.

   5. Copy the metadata file into your Library application's MicroStrategyLibrary/WEB-INF/classes/auth/SAML folder.

   6. Copy the metadata file into your Mobile application's WEB-INF/classes/resources/SAML folder.

   7. Rename the copied metadata file to IDPMetadata.xml.

2. Establish trust between the Web server and Intelligence server. See Single Sign-On with SAML Authentication for JSP Web and Mobile for more information.

3. Generate SAML configuration files. See Single Sign-On with SAML Authentication for JSP Web and Mobile for more information.

4. Add the admin user or user groups in WEB-INF/classes/resources/SAML/MstrSamlConfig.xml.

   

5. Register MicroStrategy Web, Library, and Mobile with the ADFS server.

   1. Copy the SPMetadata.xml file from your Web application's WEB-INF/classes/resources/SAML folder to the ADFS server machine.

   2. Copy the SPMetadata.xml file from your Library application's WEB-INF/classes/auth/SAML folder to the ADFS server machine.

   3. Copy the SPMetadata.xml file from your Mobile application's WEB-INF/classes/resources/SAML folder to the ADFS server machine.

   4. In the Console tree, right-click Relying Party Trusts > Add Relying Party Trust.

   5. In the Select Data Source pane, select Import data from the relying party from a file.

      

   6. Click Browse and locate the metadata file.

   7. Leave the remaining options as default.

6. Add claim rules for the registered relying party trust. See Integrating SAML Support for ADFS for more information.

   1. Right-click your registered application in ADFS > Edit Claim Rules.

   2. One by one, add the claim rules and complete the setup on ADFS. The following are examples of rule creation and a list of created rules. In this example, the same claim rule is created as specified in the following screenshot.

      

      1. Select Send LDAP Attributes as Claims as the claim rule template.

      2. Select the name shown in the screenshot for the claim rule name.

      3. From the Attribute store drop-down, choose Active Directory.

      4. From the LDAP Atrtibute drop-down, choose an option. This option is the information taken from your Active Directory user.

      5. From the Outgoing Claim Type drop-down, choose an option.

         

      6. The following is the list of the mappings for the rules used in this example:
         • User-Principal-Name -> Name
         • E-Mail-Addresses -> Name ID
         • Token-Groups - Unqualified Names -> Groups
         • Display-Name -> DisplayName
         • User-Principal-Name -> DistinguishedName
7. Map the OAuth user to the MicroStrategy user for login control.

   

8. Restart your application server and test to see if login is successful. Upon successful login, the following screen displays and your user appears.