# AD FS Configuration {% hint style="info" %} For a 100% cloud-based integration with AD FS, see [Keeper SSO Connect Cloud](https://docs.keeper.io/sso-connect-cloud) {% endhint %} ### Microsoft AD FS #### Obtain Federation Metadata XML Inside the AD FS Management application, locate the Federation Metadata xml file. This can be found by clicking on AD FS > Service > Endpoints then locate the URL path in the "Metadata" section. The path is typically **/FederationMetadata/2007-06/FederationMetadata.xml** as seen below:
To download the metadata file, this can typically be found by loading the URL in the browser on the server. For example:\ \ https\://\/FederationMetadata/2007-06/FederationMetadata.xml\ \ Download this file and save to the computer.
#### Import Federation Metadata Import the FederationMetadata.xml file into Keeper SSO Connect’s configuration screen by dragging and dropping the file: ![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-Lvbhd4uMWI3pBu8I_it%2F-LvbkkLsX7-T-NRp2qGx%2Fadfs.png?alt=media\&token=101bda90-ee2a-498f-9d27-944b75ac2df1) Select **Save** to save the configuration. {% hint style="warning" %} Please Note: ADFS signing certificates typically are only valid for a year. ADFS may automatically rotate to the most current certificate. This breaks the trust between Keeper SSO Connect and ADFS. A new federationMetadata.xml file will need to be generated and uploaded to the Keeper SSO Connect to ensure operation. We strongly recommend setting a reminder before the expiration of the certificate so this step can be performed to maintain operation. {% endhint %} #### Export Keeper SSO Connect Metadata Select the **Export Metadata** link on Keeper SSO Connect and copy the sso\_connect.xml file to your IdP.
#### Finish AD FS Configuration #### Create Relying Trust Party Create Keeper SSO Connect as a Relying Trust Party:
#### Import Keeper Metadata Import the Keeper Metadata that was exported previously from Keeper SSO Connect by completing the Relying Party Trust Wizard as seen in the steps below:
Claims-aware applications
Import data - Federation metadata file location
Enter display name
Choose an access control policy
SAML Logout Endpoints
{% hint style="danger" %} To prevent a logout error, change the SAML Logout Endpoints on the Relying Party Trust to: [https://**\**/adfs/ls/?wa=wsignout1.0](https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0) {% endhint %}
Configure claims issuance policy
Relying Party Trusts
#### Create Claim Issuance Policy Rules To map attributes between AD FS and Keeper, you need to create a Claim Issuance Policy with **Send LDAP Attributes as Claims** and map the LDAP attributes to Keeper Connect attributes.
Edit Claim Issuance Policy
Add Rule...
Choose Rule Type
Claim Rule Name - Mapping
{% hint style="info" %} **Important: Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen above**. {% endhint %}
Issuance Transform Rules
For Logout support we need to add two more Claim Issuance Policy rules:
Send Claims using a Custom Rule
Create Opaque Persistent ID
To copy the syntax to add in the claims rule, copy the following text and paste it into the custom rule: ``` c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"] => add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value); ``` ![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU1qslxsyM7trhYo7JN%2F-LU1s3_tgMhG9ln_DG92%2Fsso-step-47b.png?alt=media\&token=b50c7db8-4b14-4bee-a1a8-d288be5d5135)
Transform an Incoming Claim
Create Persistent Name Identifier
Incoming claim type: Should I put my company's name in there? No, actually literally put "" Outgoing claim type: Name ID\ Outgoing name ID format: Transient Identifier
Set Outgoing claim and name ID format
#### SAML Signing Configuration a. Open Powershell as Administrator on the AD FS server.\ \ b. Identify your SSO Connect Relying Party Trust "Identifier" string which you can obtain by running: ``` Get-ADFSRelyingPartyTrust ``` Running this command will generate a long list of output, you are looking for the SSO Connect section and the "Identifier" string. This string will look something like:\ c. Run the below command, replacing \ with the string found in step (b). ``` Set-ADFSRelyingPartyTrust -TargetIdentifier -samlResponseSignature MessageAndAssertion ``` If you run Get-ADFSRelyingPartyTrust again, you'll see that the SamlResponseSignature section is set to "MessageAndAssertion". #### Restart AD FS services From the services manager, restart AD FS service. ![Restart AD FS](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LvblaROrGm6NHxyd8Tf%2F-LvbpyoYrKzZ8bRDsBZN%2Frestart_adfs.png?alt=media\&token=43683c15-335b-4e69-939f-81944046014a) {% hint style="info" %} SAML assertion signing must be configured properly on your AD FS environment. If signing has not been configured, you will need to set this up, then exchange metadata again between AD FS and Keeper SSO Connect after the re-configuration. {% endhint %} #### Troubleshooting If after setting up Keeper SSO Connect user gets **SSO is not configured (undefined)** a possible root cause is missing or incorrect CRL configuration.\ \ A simple fix/workaround is to disable all Certificate Revocation Check. ![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEMb6G159Z3VmhvUaX%2F-LlEMeTRpd8n70vcRHlK%2Fsso_error.png?alt=media\&token=8352b1f9-79d9-45fb-81b7-8956313d85b6) ![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEP8OulaN_wYuf9e9-%2F-LlEPAlR1ArIEbUWNF53%2FLog.png?alt=media\&token=475ecc3f-b817-46c4-aabe-ca51ddaee783) Possible Root Causes\ \ Time skew\ \ Ensure that Keeper Connect and the IdP have the same identical system time (within 1 second).\ \ Set ntp sync\ \ PS C:\Windows\system32>w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,0x8 /reliable:yes /update\ \ Certificate Validation Failure * Verify the settings. Run a PowerShell as Administrator and look at ADFSRelyingPartyTrust * Follow the "**SAML Signing Configuration**" instructions above If you need to disable certificate validation on the IdP for testing purposes or for internal PKI certificates, you can use the below Powershell commands. Replace \ with the string found in the "SAML Signing Configuration" instructions above. ``` Set-ADFSRelyingPartyTrust -TargetIdentifier -EncryptionCertificateRevocationCheck None ``` ``` Set-ADFSRelyingPartyTrust -TargetIdentifier -SigningCertificateRevocationCheck None ``` Note: Any changes made to signing configuration may require exchange of XML metadata between IdP and SSO Connect.