Skip to main content
Skip table of contents

Active Directory Federation Services (AD FS) for Email Archive

This manual provides step-by-step instructions for setting up Active Directory Federation Services (ADFS) to provide Single Sign-On end user access to the Retarus Enterprise Email Archive.

AD FS Configuration

The AD FS 2.0 console is installed automatically when you install AD FS 2.0.

→ Start the AD FS 2.0 snap-in:

grafik-20240611-165617.png

→ Select Add Relying Party Trusts.

→ In the wizard that opens, click on Start:

grafik-20240611-165646.png

→ Select Import data about the relying party published online or on a local network to obtain the data online. The Retarus SP SAML URL is:
https://am.retarus.com/openam/saml2/jsp/exportmetadata.jsp?entityid=https://am.retarus.com

grafik-20240611-165703.png

→ Ignore the following warning and click on OK to continue:

grafik-20240611-165721.png

→ Enter a display name of your choice for this relying party entry in your ADFS (e.g., Retarus Enterprise Email Archive). You can also provide a description.

grafik-20240611-165741.png

→ Select Permit all users to access this relying party.

grafik-20240611-165756.png

→ You can leave the checkbox selected because you’ll have to enter claim rules to complete the ADFS SP configuration in order to access the Retarus Enterprise Email Archive.

grafik-20240611-165822.png

→ Select add rule to send the NameID as a transient value using an “anonymous” value from AD, e.g., Primary SID.

grafik-20240611-165856.png

→ Select Send Claims Using a Custom Rule from the drop-down menu.

grafik-20240611-165911.png

→ Enter a name of your choice for the rule (e.g., Send Windows Primary SID as the transient Name ID).

→ Enter the following custom rule into the field:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://am.retarus.com");

→ Select Finish.

grafik-20240611-170002.png

→ Add another rule in order to send the user’s email address as an attribute.

grafik-20240611-170020.png

→ Select Send LDAP Attributes as Claims from the Claim rule template drop-down menu.

grafik-20240611-170037.png

→ Enter a name for the claim rule (e.g., Send Primary Internet Email Address). Then select Active Directory as the attribute store with Email-Addresses in the LDAP Attribute column and email as the attribute in the Outgoing Claim Type column.

grafik-20240611-170057.png

Both rules should now be visible in the first tab of the dialog:

grafik-20240611-170112.png

→ Disable encryption of the SAML assertion sent to Retarus. Please note the data is anyhow protected because all communication with the Retarus Web Server is via TLS (SSL). Select the relying trust entry you created for Retarus Enterprise Email Archive and right-click to select Edit Properties.

grafik-20240611-170126.png

→ Select the Encryption tab and then click on the Remove button.

grafik-20240611-170143.png

→ Confirm the deletion.

grafik-20240611-170158.png

The Encryption certificate field should now be empty as shown in the screenshot below. Select OK to save the changes and close the dialog.

grafik-20240611-170216.png

→ Now you need to send the Federation metadata for your AD FS to Retarus. Open the following URL in your browser:
<https://<your> adfs server hostname>/FederationMetadata/2007-06/FederationMetadata.xml

→ Save the content as a XML file using the browser’s save function.

grafik-20240611-170232.png

The next step is to send this XML file to your Retarus Implementation Engineer.

Retarus – AD FS interaction

The following diagram displays the interaction between the Retarus system and the AD FS:

grafik-20240611-170342.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.