Skip to main content
Skip table of contents

Active Directory Federation Services (AD FS) for EAS

This document provides step-by-step instructions for setting up Active Directory Federation Services (ADFS) to provide Single Sign-On end user access to the Retarus EAS Portal.

AD FS Configuration

The AD FS 2.0 console is installed automatically when you install AD FS 2.0.

→ Start the AD FS 2.0 snap-in:

grafik-20240611-165617.png

→ Select Add Relying Party Trusts.

→ In the wizard that opens, click on Start:

grafik-20240611-165646.png

→ Select Import data about the relying party published online or on a local network to obtain the data online. The Retarus SP SAML URL is:
https://am.retarus.com/openam/saml2/jsp/exportmetadata.jsp?entityid=https://am.retarus.com

grafik-20240611-165703.png

→ Ignore the following warning and click on OK to continue:

grafik-20240611-165721.png

→ Enter a display name of your choice for this relying party entry in your ADFS (e.g., Retarus Enterprise Email Archive). You can also provide a description.

image-20240906-074122.png

→ Select Permit all users to access this relying party.

grafik-20240611-165756.png
image-20240906-074340.png

→ You can leave the checkbox selected because you’ll have to enter claim rules to complete the ADFS SP configuration in order to access the Retarus EAS portal

grafik-20240611-165822.png

→ Select Add Rule to send the NameID as a transient value using an “anonymous” value from AD, e.g., Primary SID.

grafik-20240611-165856.png

→ Select Send Claims Using a Custom Rule from the drop-down menu.

grafik-20240611-165911.png

→ Enter a name of your choice for the rule (e.g., Send Windows Primary SID as the transient Name ID).

→ Enter the following custom rule into the field:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://am.retarus.com");

→ Select Finish.

grafik-20240611-170002.png

→ Add another rule in order to send the user’s email address as an attribute.

grafik-20240611-170020.png

→ Select Send LDAP Attributes as Claims from the Claim rule template drop-down menu.

grafik-20240611-170037.png

→ Enter a name for the claim rule (e.g., Send Primary Internet Email Address). Then select Active Directory as the attribute store with Email-Addresses in the LDAP Attribute column and email as the attribute in the Outgoing Claim Type column.

grafik-20240611-170057.png

Both rules should now be visible in the first tab of the dialog:

grafik-20240611-170112.png

Now you will see the Reply Party Trust entry for Retarus EAS / Enterprise Email Archive access.

image-20240906-075241.png

→ Disable encryption of the SAML assertion sent to Retarus. Please note the data is anyhow protected because all communication with the Retarus Web Server is via TLS (SSL). This must be performed via a Windows PowerShell ADFS cmdlet, as ADFS does not provide a UI to change this setting.

Start the Windows Powershell on the ADFS server using the Windows PowerShell Modules in the Administrative Tools. This will automatically load the ADFS Snapin.

image-20240906-075618.png

Then enter the following command to disable encryption of the claims to Retarus EAS/Enterprise Email Archive.

set-ADFSRelyingPartyTrust -TargetName "Retarus EAS/Enterprise Email Archive" -EncryptClaims $False

image-20240906-075718.png

To check that the command worked you can query the setting using the following command.

Get-AdfsRelyingPartyTrust "Retarus EAS/Enterprise Email Archive" | findstr EncryptClaims

The response should be
EncryptClaims : False

image-20240906-075851.png

Now you need to send the Federation metadata for your AD FS to Retarus. Please open the following URL in your browser:

<https://<your> adfs server hostname>/FederationMetadata/2007-06/FederationMetadata.xml

Save the content as a XML file using the browser’s save function.

image-20240906-075934.png

The next step is to send this XML file to your Retarus Implementation Engineer.

Retarus – AD FS interaction

The following diagram displays the interaction between the Retarus system and the AD FS:

image-20240906-080750.png

Activate SAML for Users

After Retarus SAML has been installed with your XML file, the next step is to activate SAML access for your EAS users, which can be done via the User Management menu in EAS. Select a user and click on Edit. Under the General tab, click Yes on the SAML login setting. The final step is to save the change.

image-20240906-081053.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.