Part A: Relying Party Trust Configuration
Steps for adding Mentis as Relying Party Trust to ADFS are similar for staging and production implementations.
Step 1: Open Add Relying Party Trust wizard
Step 2: Select Data Source
Select ‘Enter data about the relying party manually’.
Step 3: Specify Display Name
Give Display name and description as per your choice.
Step 4: Choose profile
Select AD FS profile.
Step 5: Configure Certificate
Add optional token certificate. In case it’s used, we would require private key for it to decrypt the claims.
Step 6: Configure URL
Select ‘Enable support for the SAML 2.0 WebSSO protocol’. Add Relying Party SAML 2.0 SSO service url.
Step 7: Configure Identifiers
Add relying party trust identifiers.
Step 8: Configure Multi-factor Authentication Now?
Select ‘I do not want to configure multi-factor authentication for this relying party trust at this time’.
Step 9: Choose Issuance Authorization Rules
Select an option as per the policy followed at your institute. Default is ‘Permit all user for this relying party’.
Step 10: Ready to Add Trust
You can do other optional settings or modify existing ones in this screen.
Step 11: Finish
Mentis will be added as relying party trust to your AD FS configuration database after this step. If you need to alter/verify properties of this relying party trust, please check the option provided in this screen.
Part B: Edit Claim Rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust.
To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claim rule.
On the next screen, using Active Directory as your attribute store, do the following:
1. From the LDAP Attribute column, select E-mail Addresses.
2. From the Outgoing Claim Type, select Name-ID.
3. Then, from the LDAP Attribute column, select E-Mail Address and from Outgoing Claim Type, select E-Mail Address.
Repeat step #3 for all other required attributes (Given Name, Surname, GUID).
Click on OK to save the new rule.
Part C: Adjusting the Trust Settings
You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected.
Step 1: SAML Logout Endpoint
In the Endpoints tab, click on add SAML to add a new endpoint.
1. For the Endpoint type, select SAML Logout. For Binding, choose POST.
2. For the Trusted URL add the respective staging or production URL.
3. Leave the Response URL blank.
4. Confirm your changes by clicking OK o the endpoint and the RPT properties.
Step 2: Advanced Tab
In the Advanced tab, switch from SHA-256 to SHA-1.
You should now have a working RPT for Mentis.
Note: For Production Implementation - Once the RPT settings have been made, please send us an email at firstname.lastname@example.org so that we begin testing. Post successful testing and go-live, we would recommend, you to disable the Mentis Staging RPT. We would, however, request that you to retain a backup of the RPT settings in the event we have significant changes to your environment that require retesting in staging.
Please always consult with your Mentis Implementation Guide for the latest up to date links.