Starting from version 6.9, Deep Discovery Analyzer (DDAN) supports Security Assertion Markup Language (SAML) authentication standard to allow users to single sign-on (SSO) to Deep Discovery Analyzer console.
For more information, see SAML-Integration.
DDAN supports the Active Directory Federation Services (ADFS) identity provider.
For more information, see Configuring-ADFS.
Following the procedure provided, you can configure claim rules for each AD group that you want to grant access permission to DDAN. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.
You can also configure customize claim rules. For more information, refer to the Microsoft technical documents under the References section of this KB and make sure that you set the outgoing claim type as DDAN_groups.
The following provides an example procedure to configure customize claim rules for all AD users/groups in DDAN_groups. Based on this configuration, you can further limit the single sign-on permission by configuring Access Control Policy settings and create SAML groups in DDAN.
- Go to ADFS > Relying Party Trusts and select the created application for DDAN.
-
Right-click the application and select Edit Claim Issuance Policy....
The Edit Claim Issuance screen appears.
- On the Issuance Transform Rules tab, select Add Rule...
-
Complete settings on each tab of the Add Transform Claim Rule Wizard screen:
- On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
- On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box (for example, ‘Name ID’) and select Active Directory from the Attribute store drop-down list.
- Select the attribute and specify Name ID as the outgoing claim type for the attribute.
-
Click OK.
LDAP attribute
Claim Rule Name LDAP Attribute Outgoing Claim Type <user-defined rule name> User-Principal-Name Name ID -
Create customize claim rules. Complete the following steps:
-
Click Add Rule....
The Add Transform Claim Rule Wizard screen appears.
-
On the Choose Rule Type tab, select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and click Next.
The Configure Claim Rule tab appears.
-
On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and type the custom claims displayed in the following table.
Custom Rules
Claim Rule Name Custom Rule <user-defined rule name> e.g. nameDN c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("nameDN"), query = ";distinguishedName;{0}", param = c.Value); <user-defined rule name> e.g. DDAN_groups c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]&& c2:[Type == "nameDN"]=> issue(store = "Active Directory", types = ("DDAN_groups"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value); - Click Apply and then click OK. Repeat to set all the claim rules.
All used schema inherited in ADFS
- Name ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- Username Attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
References
-