Skip to main content
Skip table of contents

Configure the VeridiumID ADFS Server

The purpose of this document is to provide an end-to-end configuration procedure of an ADFS server along with the Veridium ADFS plugin. This article assumes you already have in place an Active Directory domain and a ADFS dedicated machine joined to this domain

Install ADFS server role and configure the ADFS service

  1. The first step is to install the ADFS role. For this, click on Start, then select Server Manager:

    image-20250205-144509.png
  2. In the SERVER MANAGER window click on Add roles and features:

    image-20250205-144559.png
  3. In the following window click on Next:

    image-20250205-144812.png
  4. In the Select installation type window, click on Next:

    image-20250205-144838.png
  5. In the Select destination server click on Next:

    image-20250205-144929.png
  6. In the Select server roles window tick the box next to Active Directory Federation Services and then click Next:

    image-20250205-145417.png
  7. In the Select features window click Next:

    image-20250205-145559.png
  8. In the following window click Next:

    image-20250205-145651.png
  9. In the Confirm installation selections window click on Install:

    image-20250205-145734.png
  10. In this step you can choose either to wait for the installation to complete or click on Close. The installation will complete in the background if you close the window.

    image-20250205-150032.png
  11. After the installation completes. go to Server Manager and click on the yellow exclamation mark on the upper right side of the window, then select Configure the federation service on this server:

    image-20250205-150436.png
  12. In the Active Directory Federation Services Configuration Wizard select Create the first federation server in a federation server farm then click on Next:

    image-20250205-150851.png
  13. Specify a domain account with administrator permissions and then click on Next:

    image-20250205-151137.png
  14. Click on Import and select a SSL certificate, then set a Federation Service Name to match the certificate and then set the Federation Service Display Name which will appear in the ADFS authentication window:

    image-20250205-151634.png
  15. If this is the first time you are configuring an ADFS server in your domain, you’ll most likely see this message. Click on Show more:

    image-20250205-151936.png
  16. A window will appear displaying a command that needs to be executed in order to set the KDS Root Key. Open an elevated PowerShell window and execute the command(Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)):

    image-20250205-152032.png
  17. After the command has been executed, close the Powershell window:

    image-20250205-152343.png
  18. Return to the configuration wizard. If the warning hasn’t disappeared, click on Previous and then on Next:

    image-20250205-152442.png
  19. Select Create a Group Managed Service Account and assign an Account Name, then click on Next:

    image-20250205-152607.png
  20. Select Create a database on this server using Windows Internal Database then click Next:

    image-20250205-152857.png
  21. Review the options and then click on Next:

    image-20250205-153111.png
  22. Wait for the Pre-requisite Checks to complete and then click on Configure:

    image-20250205-153331.png
  23. After the configuration process is complete, click on Close:

    image-20250205-153731.png

Install and configure the Veridium ADFS plugin

  1. Install the VeridiumAdfsInstaller_x64.msi by following the instructions on the screen (no special configuration required).

  2. Click on Start, then select VeridiumID ADFS Config:

    image-20250205-154135.png
  3. The first step requires importing a friend certificate for the VeridiumID server which will be integrated with the plugin. For this, go to Veridium dashboard, click on Settings, then scroll down to the Certificates section, click on Service Credentials and then on Custom Services:

    image-20250205-154536.png
  4. Click on Create Custom Service Certificate:

    image-20250205-154659.png
  5. Type in a name for the ADFS friend certificate and then click on Create Device:

    image-20250205-154943.png
  6. Copy the certificate to the ADFS machine, then return to VeridiumID ADFS Configuration and click on Import new:

    image-20250205-155840.png
  7. Browse to the location where you saved the certificate, select it then type in the password and click Import:

    image-20250205-160646.png
  8. Next click on VeridiumID FQDN:

    image-20250205-160845.png
  9. Type in the FQDN of the VeridiumID server you want to use and then click on OK:

    image-20250205-161116.png
  10. Type in the VFACE Script URL. This can be obtained by concatenating the Shibboleth url and “/idp/custom/vface/vface-web.iife.js“:

    image-20250205-162428.png
  11. Next go to Veridium Manager and extract the vface license. For this, click on Settings, then Advanced, scroll down and select vface.json:

    image-20250205-162917.png
  12. Copy the value from the license tag:

    image-20250205-163147.png
  13. Go back to the VeridiumID ADFS Configuration and paste the copied value in the VFACE license key field:

    image-20250205-163456.png
  14. Next you need to retrive the signing keystore from the VeridiumID server. For this, go back to Veridium Manager, click on Settings, then scroll down to the Certificates section, click on Signing Keystore and double click the item on the right side:

    image-20250205-164135.png
  15. Scroll down and click on the Copy button next to Pub Key Base 64:

    image-20250205-164600.png
  16. Return to the VeridiumID ADFS Configuration and click on Edit JWT key:

    image-20250205-164750.png
  17. Paste the JWT Signing key value and click on OK:

    image-20250205-164844.png
  18. Adjust the Session pooling URL to match your idp:

    image-20250205-165118.png
  19. Click on Register IdP button to apply the settings:

    image-20250205-165152.png

Install ClaimsXray to visualize the claims

  1. Install ClaimsXray by using the attached Powershell script. Execute it from an elevated Powershell window

    image-20250207-073223.png
  2. Select the following options and click on Apply changes:

    image-20250207-073412.png
  3. This will create the ClaimsXray relying party trust, as can be seen by going to Relying Party Trusts container:

    image-20250207-074113.png
  4. The default ClaimsXray endpoints are no longer available, so you need to change them. For this, right-click the relying party and select Properties:

    image-20250207-074236.png
  5. In the next window, click on Endpoints tab, replace WS-Federation Passive Endpoints and SAML Assertion Consumer Endpoints with https://claimsxray.net/api/sso and then click on Apply and Ok:

    image-20250207-074340.png
  6. In order to test you need to enable idpinitiatedsignon page. For this, open an elevated Powershell window and execute the following command:

    CODE
    Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
  7. Next you must enable Veridium as authentication method in ADFS service configuration. For this, click on Authentication Methods, then click on the Edit button next to Additional Authentication Methods:

    image-20250207-093427.png
  8. In the next window select Veridium and then click on Apply:

    image-20250207-093658.png
  9. Click on Primary, then select Allow additional authentication providers as primary, then click on OK in AD FS Management window:

    image-20250207-093840.png
  10. Click on Apply and OK, then re-open the Edit Authentication Methods window.

  11. Veridium should be visible as an authentication method and you have to enable it:

    image-20250207-095755.png
  12. Click on Apply and OK to save.

  13. Now you can test the authentication by accessing the idp initiated signon page. The url is like this: https://<adfs-fqdn>/adfs/ls/idpinitiatedsignon. Select Sign in to one of the following sites and then click on Sign In:

    image-20250207-113559.png
  14. Type in your username and the click Next:

    image-20250207-114116.png
  15. Click on VeridiumID to login using the VeridiumID ADFS plugin:

    image-20250207-114158.png
  16. Authenticate using the method of your choice:

    image-20250207-114305.png
  17. After the authentication is complete, you should see a ClaimsXray page like this:

    image-20250207-114410.png

Create custom claims

  1. With ClaimsXray you can view all the sent claims along with the custom ones. In order to define the actual custom claims, in the ADFS configuration interface click on Claims Descriptions, then Add Claim Description:

    image-20250207-120733.png

    NOTE: You can find the custom claims definition in

C:\Program Files\VeridiumID\VeridiumAdfs\lib\VeridiumIdP.dll.config, under CustomClaim<x>_Name/Value keys:

image-20250207-121209.png
  1. In the next window type in country for Display Name and Short Name, then http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country for Claim identifier and select the two publishing options below then click on OK:

    image-20250207-121731.png
  2. Repeat the steps for countryCode claim: type in countryCode for Display Name and Short Name, then http://schemas.xmlsoap.org/ws/2005/05/identity/claims/countryCode for Claim identifier and select the two publishing options below then click on OK:

    image-20250207-123145.png
  3. Same for ILPContextScore claim: type in ILP Context Score for Display Name and ILPContextScore for Short Name, then http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ilpContextScore for Claim identifier and select the two publishing options below then click on OK:

    image-20250207-123553.png
  4. Repeat also for ILPMotionScore claim: type in ILP Motion Score for Display Name and ILPMotionScore for Short Name, then http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ilpMotionScore for Claim identifier and select the two publishing options below then click on OK:

Add claim rules for the Active Directory Claims Provider Trust

  1. After adding the custom claims descriptions, you need to add claim rules for the Active Directory Claims Providers Trust. For this, you must click on Claims Providers Trusts, then right-click on Active Directory and select Edit Claim Rules:

    image-20250207-130143.png
  2. In the next window click on Add Rule:

    image-20250207-130302.png
  3. In the next window, select Transform an Incoming Claim then click Next:

    image-20250207-130842.png
  4. Type in country in the Claim rule name field, then select country from the Incoming and Outgoing claim type drop-down list, then select Pass through all claim values and click on Finish:

    image-20250207-132301.png
  5. Repeat steps 3 and 4 in order to configure a rule for the CountryCode claim as follows:

    image-20250207-133316.png
  6. Create a new rule by selecting the Pass Through or Filter an Incoming Claim template, then click Next:

    image-20250207-133404.png
  7. Set the name to ILP Context Score, then select ILP Context Score in the Incoming claim type field, make sure Pass through all claim values is selected and then click on Finish:

    image-20250207-133614.png
  8. Repeat steps 6 and 7 in order to configure a rule for the claim as follows:

    image-20250207-134118.png

Add custom claims to the Veridium ADFS plugin config

  • The Veridium ADFS plugin configuration file is located in the install path under the lib folder - e.g. C:\Program Files\VeridiumID\VeridiumAdfs\lib and it is called VeridiumIDP.dll.config. Edit this file and scroll until you find the CustomClaims section. You will find two custom claims already defined here:

image-20250218-121914.png

You can add the two extra claims defined in the previous section by appending

CODE
<add key="CustomClaim3_Name" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ilpContextScore" />
    <add key="CustomClaim3_Value" value="uba_context.score" />
    <add key="CustomClaim4_Name" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ilpMotionScore" />
    <add key="CustomClaim4_Value" value="uba_motion.score" />

after the existing claims. In order for the claims to be processed, you need to change the value of the CustomClaimsCount key to 4 (or how many you need). In the end, the configuration should look like this:

image-20250218-122233.png
  • Save the file and then open the VeridiumID ADFS Config tool. Click on the Register IdP button to apply the custom claims configuration:

    image-20250218-123446.png
  • Test the configuration by accessing the idpinitiatedsignon page, that is https://<adfs fqdn>/adfs/ls/idpinitiatedsignon. Select Sign in to one of the following sites: then select ClaimsXray from the drop-down list and click on Sign In:

    image-20250218-123754.png
  • In the next window enter a valid username and click Next:

    image-20250218-123943.png
  • Click on VeridiumID to authenticate using the Veridium ADFS plugin:

    image-20250218-124035.png
  • Authenticate using one of the presented options:

    image-20250218-124140.png
  • After the authentication completes, you should be able to see, among other claims, the custom ones previously defined:

    image-20250218-125029.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.