How to integrate GSA with ADFS

Introduction

This document gives configuration steps to integrate Google Search Appliance version 7.4.x and higher with Active Directory Federation Services based on Windows Server 2012 R2 to be used as SAML authentication provider.

Terminology

  • ADFS - Active Directory Federation Services is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with a single sign-on access to systems and applications located across organizational boundaries.
  • SAML - Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Configuring ADFS Relying Party Trust

  1. On Windows Server, open up AD FS Management Console
  2. Go to Trust Relationship > Relying Party Trusts
  3. Click right mouse button on Relying Party Trusts and select Add Relying Party Trust
  4. Press Start button
  5. Select Enter data about the relying party manually and press Next:

  1.  Specify Display Name (e.g. GSA) and press Next:

  1. Select AD FS Profile and press Next:

  1. Do not specify anything on Configure Certificate screen and press Next
  2. Check Enable Support for the SAML 2.0 WebSSO Protocol checkbox and specify service URL for the GSA (e.g. https://gsa.example.com/security-manager/samlassertionconsumer):

Make sure that gsa.example.com is replaced with actual GSA host name.

  1. Press Next.
  2. Relying party trust identifier can be found at GSAs Admin Console. Navigate to Admin Console > Search > Secure Search > Access Control. Copy the SAML Issuer Entity ID into the Relying party trust identifier box and press Next:



  1. Press Next to skip configuration of Multi-factor Authentication.
  2. Select Permit all users to access this relying party and press Next.

  1. Press Next on the summary screen 
  2. Make sure that checkbox in front of Open the Edit Claim Rules dialog for this relying party trust is enabled and press Close.
  3. In the opened window Edit Claim Rules for GSA, press Add Rule… button.
  4. Select Send LDAP Attributes as Claims and press Next:

 

  1. Specify Claim rule name (e.g. UserName), select Active Directory as Attribute Store, chose User-Principal-Name as LDAP Attribute and Name ID as Outgoing Claim Type:

  1. Press Finish and OK buttons to close both windows.
  2. Open Properties of newly created GSA relying party trust and go to Signature tab. Press Add button and upload public certificate of the GSA:

  1. Go to Advance tab and select SHA-1 as Secure Hash Algorithm:

Press OK button.

  1. In the AD FS Management window, go to Service > Certificates. Select to view Token-Signing certificate and go to Details tab.
  2. Press Copy to File button and press Next.
  3. Select Base-64 encoded X.509 (.CER) and press Next:
     

  1. Specify the location where you would like to Export the certificate and press Next.
  2. Press Finish.

Configuring GSA Authentication Mechanism

  1. Go to the GSA Admin Console and navigate to Search > Secure Search > Universal Login Auth Mechanisms > SAML.
  2. Specify the following parameters:
  •     Mechanism Name: (e.g. ADFS)
  •     IDP Entity ID: http://<ADFS HOST NAME>/adfs/services/trust
  •     Login URL: https://<ADFS HOST NAME>/adfs/ls/
  •     Public Key of IDP: (paste the certificate exported at steps #21-25)

  1. Press Save button to save the rule.

The GSA is now ready to authenticate users using the ADFS. 

Troubleshooting ADFS integration

Please find the list of some common errors, that might occur during ADFS integration and the steps to resolve them. Authentication flow is available in Security Manager log. This can be retrieved from the admin console via the Serving > Universal Login > SecMgr Log button in the admin console.

Error Issue Steps to resolve
sid <SESSION ID>: One or more SAML assertions are invalid
Time is not synced either on the GSA or the ADFS server

Make sure that time on the search appliance and the ADFS server is properly synced.

How to configure NTP server on GSA

Signature verification failed.
Public Certificate of IdP configured on the appliance, doesn't match ADFS token-signing certificate.

Make sure that SAML public certificate configured on the GSA matches certificate exported at steps #21 - 25

Signature verification failed.
GSA cannot build trust chain for the Public Certificate of IdP

Upload certificate chain of the Public Certificate of IdP to GSA Certificate Authorities list

How to upload certificates to GSA's CA

 

Was this helpful?
How can we improve it?