Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring ADFS as Security Assertion Markup Language (SAML) Identity Provider (IdP) for Deep Discovery Analyzer (DDAN)

    • Updated:
    • 20 Jul 2020
    • Product/Version:
    • Deep Discovery Analyzer 6.9
    • Platform:
    • N/A
Summary

Starting from version 6.9, Deep Discovery Analyzer (DDAN) supports Security Assertion Markup Language (SAML) authentication standard to allow users to single sign-on (SSO) to Deep Discovery Analyzer console.

For more information, see SAML-Integration.

DDAN supports the Active Directory Federation Services (ADFS) identity provider.

For more information, see Configuring-ADFS.

Following the procedure provided, you can configure claim rules for each AD group that you want to grant access permission to DDAN. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.

You can also configure customize claim rules. For more information, refer to the Microsoft technical documents under the References section of this KB and make sure that you set the outgoing claim type as DDAN_groups.

Details
Public

The following provides an example procedure to configure customize claim rules for all AD users/groups in DDAN_groups. Based on this configuration, you can further limit the single sign-on permission by configuring Access Control Policy settings and create SAML groups in DDAN.

  1. Go to ADFS > Relying Party Trusts and select the created application for DDAN.
  2. Right-click the application and select Edit Claim Issuance Policy....

    The Edit Claim Issuance screen appears.

  3. On the Issuance Transform Rules tab, select Add Rule...
  4. Complete settings on each tab of the Add Transform Claim Rule Wizard screen:

    1. On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
    2. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box (for example, ‘Name ID’) and select Active Directory from the Attribute store drop-down list.
    3. Select the attribute and specify Name ID as the outgoing claim type for the attribute.
    4. Click OK.

      LDAP attribute

      Claim Rule NameLDAP AttributeOutgoing Claim Type
      <user-defined rule name>User-Principal-NameName ID
    5. Create customize claim rules. Complete the following steps:

      1. Click Add Rule....

        The Add Transform Claim Rule Wizard screen appears.

      2. On the Choose Rule Type tab, select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and click Next.

        The Configure Claim Rule tab appears.

      3. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and type the custom claims displayed in the following table.

        Custom Rules

        Claim Rule NameCustom Rule
        <user-defined rule name> e.g. nameDNc:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("nameDN"), query = ";distinguishedName;{0}", param = c.Value);
        <user-defined rule name> e.g. DDAN_groupsc1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]&& c2:[Type == "nameDN"]=> issue(store = "Active Directory", types = ("DDAN_groups"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value);
      4. Click Apply and then click OK. Repeat to set all the claim rules.

      All used schema inherited in ADFS

      • Name ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      • Username Attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

      References

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000258112
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.