> Commvault Cloud > User Administration and Security > Configuring an Identity Provider > Active Directory Federation Services

Create a Relying Party Trust

After creating a SAML app, create a relying party trust in the Active Directory Federated Service (AD FS) Management console.

Procedure

  1. In the AD FS Management console, from the left navigation pane, navigate to AD FS > Trust Relationships.

  2. Right-click Relying Party Trusts, and then click Add Relying Party Trust.

    The Welcome page of theAdd Relying Party Trust Wizard window appears.

  3. Click Start.

  4. On the Select Data Source page, click Import data about the relying party from a file.

  5. In the Federation metadata file location box, browse to the location of the SP metadata that you placed on the AD FS machine.

    AD FS select data source wizard page

  6. Click Next.

  7. Continue to go through the wizard, referring to Microsoft documentation to configure additional features such as multi-factor authentication and issuance authorization rules.

  8. After you complete the wizard, click Close.

    The Edit Claim Rules dialog box appears.

  9. On the Issuance Transform Rules tab, click Add Rule.

    The Select Rule Template page of the Add Transform Claim Rule Wizard window appears.

  10. From the Claim rule template list, click Send LDAP Attributes as Claims.

    AD FS select rule template wizard page

  11. Click Next.

    The Configure Rule page appears.

  12. In the Claim rule name box, enter a name for the rule.

  13. From the Attribute store list, click Active Directory.

  14. In the Mapping of LDAP attributes to outgoing claim types table, add the LDAP attribute and the outgoing claim type:

    1. From the LDAP Attribute list, select User Principal Name or Email Addresses.

    2. From the Outgoing Claim Type list, select Name ID.

      Note

      For Active Directory users who log on using SAML, the user name, fullname, GUID, usergroups, email, and UPN is extracted from the Active Directory that is configured in the Commvault Cloud software. Therefore, creating the E-mail-Address (or) User Principal Name claim configuration is sufficient.

      embd_create_a_relying_party_trust

      After the user is authenticated at IDP, AD FS sends user details in the following format:

      <Subject>
    <NameID>jdoe@commvault.com</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData
            InResponseTo="cv_2b7095fd-d3c4-4335-a5be-889269e6ac85"
            NotOnOrAfter="2020-06-25T06:27:12.549Z"
            Recipient="https://johndoe.idcprodcert.loc:443/webconsole/samlAcsIdpInitCallback.do?samlAppKey=MzVENDBGQzUwRUUyNEU2" />
    </SubjectConfirmation>
</Subject>

  15. Click Finish, and then click OK.

Loading...