Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring ADFS as Security Assertion Markup Language (SAML) Identity Provider (IdP) for Deep Discovery Web Inspector (DDWI)

    • Updated:
    • 4 Jan 2021
    • Product/Version:
    • Deep Discovery Web Inspector 2.6
    • Platform:
Summary

Starting from version 2.6, Deep Discovery Web Inspector (DDWI) supports Security Assertion Markup Language (SAML) authentication standard to allow users to single sign-on (SSO) to Deep Discovery Web Inspector console. For more information, refer to the SAML-Integration topic on the DDWI Online Help page.

DDWI supports the Active Directory Federation Services (ADFS) identity provider.For more information, refer to the Configuring-ADFS topic on the DDWI Online Help page.

You can configure claim rules for each AD group that you want to grant access permission to DDWI. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.

You can also configure customize claim rules. For more information, refer to the References section of this KB and make sure that you set the outgoing claim type the same as Logon group attribute configured in DDWI IdP service. The default Logon group attribute configured in DDWI is memberOf. In this KB, the outgoing claim type is set to memberOf for example.

Details
Public

The following is an example procedure to configure customize claim rules for all AD users/groups in memberOf.

Based on this configuration, you can further limit the single sign-on permission by configuring Access Control Policy settings and create SAML groups in DDWI.

  1. Go to ADFS > Relying Party Trusts and select the created application for DDWI.
  2. Right-click the application and select Edit Claim Issuance Policy.

    The Edit Claim Issuance screen appears.

  3. On the Issuance Transform Rules tab, select Add Rule.
  4. Complete settings on each tab of the Add Transform Claim Rule Wizard screen:

    1. On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
    2. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box (for example, ‘Name ID’) and select Active Directory from the Attribute store drop-down list.
    3. Select the attribute and specify Name ID as the outgoing claim type for the attribute.
    4. Click OK.

      LDAP attribute

      CLAIM RULE NAMELDAP ATTRIBUTEOUTGOING CLAIM TYPE
      <user-defined rule name>SAM-Account-NameName ID
    5. Create customized claim rules. Complete the following steps:

      1. Click Add Rule.

        The Add Transform Claim Rule Wizard screen appears.

      2. On the Choose Rule Type tab, select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and click Next.

        The Configure Claim Rule tab appears.

      3. On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and type the custom claims displayed in the following table:

        CLAIM RULE NAMECUSTOM RULE
        <user-defined rule name>
        e.g. nameDN
        c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("nameDN"), query = ";distinguishedName;{0}", param = c.Value);
        <user-defined rule name>
        e.g. memberOf
        c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]&& c2:[Type == "nameDN"]=> issue(store = "Active Directory", types = ("memberOf"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value);
      4. Click Apply and then click OK. Repeat to set all the claim rules.

All used schema inherited in ADFS:

  • Name ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  • Username Attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

References:

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000283848
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.