Starting from version 2.6, Deep Discovery Web Inspector (DDWI) supports Security Assertion Markup Language (SAML) authentication standard to allow users to single sign-on (SSO) to Deep Discovery Web Inspector console. For more information, refer to the SAML-Integration topic on the DDWI Online Help page.
DDWI supports the Active Directory Federation Services (ADFS) identity provider.For more information, refer to the Configuring-ADFS topic on the DDWI Online Help page.
You can configure claim rules for each AD group that you want to grant access permission to DDWI. If you want to grant access to users in a child group and its associated parent group, you must create a rule each for the child group and parent group.
You can also configure customize claim rules. For more information, refer to the References section of this KB and make sure that you set the outgoing claim type the same as Logon group attribute configured in DDWI IdP service. The default Logon group attribute configured in DDWI is memberOf. In this KB, the outgoing claim type is set to memberOf for example.
The following is an example procedure to configure customize claim rules for all AD users/groups in memberOf.
Based on this configuration, you can further limit the single sign-on permission by configuring Access Control Policy settings and create SAML groups in DDWI.
- Go to ADFS > Relying Party Trusts and select the created application for DDWI.
-
Right-click the application and select Edit Claim Issuance Policy.
The Edit Claim Issuance screen appears.
- On the Issuance Transform Rules tab, select Add Rule.
-
Complete settings on each tab of the Add Transform Claim Rule Wizard screen:
- On the Choose Rule Type tab, select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and click Next.
- On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box (for example, ‘Name ID’) and select Active Directory from the Attribute store drop-down list.
- Select the attribute and specify Name ID as the outgoing claim type for the attribute.
-
Click OK.
LDAP attribute
CLAIM RULE NAME LDAP ATTRIBUTE OUTGOING CLAIM TYPE <user-defined rule name> SAM-Account-Name Name ID -
Create customized claim rules. Complete the following steps:
-
Click Add Rule.
The Add Transform Claim Rule Wizard screen appears.
-
On the Choose Rule Type tab, select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and click Next.
The Configure Claim Rule tab appears.
-
On the Configure Claim Rule tab, specify a claim rule name in the Claim rule name text box, and type the custom claims displayed in the following table:
CLAIM RULE NAME CUSTOM RULE <user-defined rule name>
e.g. nameDNc:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("nameDN"), query = ";distinguishedName;{0}", param = c.Value); <user-defined rule name>
e.g. memberOfc1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]&& c2:[Type == "nameDN"]=> issue(store = "Active Directory", types = ("memberOf"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value); - Click Apply and then click OK. Repeat to set all the claim rules.
-
All used schema inherited in ADFS:
- Name ID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- Username Attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
References:
- Microsoft Documentation: Distinguished Names
- ldapwiki page: LDAP_MATCHING_RULE_IN_CHAIN
- Microsoft TechNet article: Understanding Claim Rule Language in AD FS 2.0 & Higher
- Microsoft Documentation: Search Filter Syntax
