Skip to main content

Connect Molequle to ADFS (SAML or WS-Fed)

Connect Molequle to Microsoft's Active Directory Federation Services using the Web Services Federation or the SAML protocol.

Updated over 7 months ago

Add a Relying Party Trust

The following instructions are based on the Microsoft documentation on how to create a relying party trust.

  1. Open the ADFS Management Console.

  2. On the right side of the console, click Add Relying Party Trust.

  3. On the Welcome page, choose Claims aware and click Start.

  4. Select Enter data about the relying party manually, and click Next.

  5. Type a name (such as Molequle), and click Next.

  6. Use the default (ADFS 2.0 profile), and click Next.

  7. On the Configure Certificate page:

    1. For WS-Federation: Use the default (no encryption certificate), and click Next.

    2. For SAML: If Molequle should sign SAML authentication requests, upload the Molequle signing certificate as PEM or CER. Otherwise, use the default, and click Next.

  8. On the Configure URL page:

    1. For WS-Federation: Check Enable support for the WS-Federation..., type this value in the text box: https://id.molequle.io/login/callback, and click Next.

    2. For SAML: Check Enable support for the SAML 2.0 WebSSO protocol..., and type this placeholder value in the text box: https://id.molequle.io/login/callback?connection=CONNECTION_ID. CONNECTION_ID will be provided by Molequle support at a later step. Click Next.

  9. Add a Relying Party Trust identifier on the Configure identifiers page:

    1. For WS-Federation, use this value: urn:auth0:molequle

    2. For WS-Federation, use this value: urn:auth0:molequle:CONNECTION_ID. CONNECTION_ID will be provided by Molequle support at a later step

  10. Click Add, and then Next.

  11. Leave the default Permit all users..., or specify the users who should have access, and click Next.

  12. Click Next, and then Close.

Add a claim issuance policy rule

  1. If you're using Windows Server 2019, the Edit Claim Issuance Policy dialog box automatically opens when you finish the Add Relying Party Trust wizard. If you're using Windows 2012 or 2016, follow these steps:

    1. In Windows Server 2012: In the Actions panel on the right side of the console, find the Relying Party Trust you just created. Beneath it, click Edit Claim Issuance Policy.

    2. In Windows Server 2016: In the console tree, under ADFS, click Relying Party Trusts. On the right side of the console, find the Relying Party Trust you just created. Right-click it and click Edit Claim Issuance Policy.

  2. In the Edit Claim Issuance Policy Window, under Issuance Transform Rules, click Add Rule....

  3. Leave the default Send LDAP Attributes as Claims.

  4. Give the rule a name that describes what it does.

  5. Under Attribute Store, select Active Directory.

  6. Select these mappings under Mapping of LDAP attributes to outgoing claim types, and click Finish.

LDAP Attribute

Outgoing Claim Type

E-Mail-Addresses

E-Mail Address

Display-Name

Name

User-Principal-Name

Name ID

Given-Name

Given Name

Surname

Surname

The Name ID outgoing claim should always be present to ensure correct session handling. We strongly recommend adding all of the claims listed above, especially E-Mail Address, since they are the ones most commonly used.

Next Steps for WS-Federation

To set up WS Federation in Molequle, you need to provide Molequle Support with the Federation Metadata endpoint or your federation metadata file.

The federation metadata file contains information about your identity provider's certificates. If you provide the Federation Metadata endpoint (typically of the form ending with /FederationMetadata/2007-06/FederationMetadata.xml), Molequle can check daily for changes in the configuration, such as the addition of a new signing certificate that was added in preparation for a rollover. Because of this, enabling the Federation Metadata endpoint is preferred to providing a standalone metadata file. If you provide a standalone metadata file, the new metadata file containing the new signing certificate needs to be updated manually.

If the Federation Metadata contains both the primary and secondary certificates, you can use both in Molequle. To roll over certificates using the Federation Metadata endpoint:

  1. Generate a new certificate, and add it as the secondary certificate for your ADFS environment. This should be done at least two days before the expiration of your active primary certificate.

  2. Allow Molequle to obtain your new certificate from the Federation Metadata endpoint. Molequle checks your endpoints once a day, so be sure to allow sufficient time to complete this step.

  3. Set the now-secondary certificate as the primary certificate before the existing primary certificate expires in your ADFS environment.

Next Steps for SAML

Export the signing certificate from the ADFS console:

  1. Using the left-hand navigation pane, go to ADFS > Service > Certificates. Select the Token-signing certificate, and right click to select View Certificate.

  2. On the Details tab, click Copy to File.... This launches the Certificate Export Wizard. Click Next.

  3. Choose Base-64 encoded X.509 (.CER) as the format you'd like to use. Click Next.

  4. Provide the location to where you want the certificate exported. Click Next.

  5. Verify that the settings for your certificate are correct and click Finish.

Send the following information to Molequle support to finish the Single Sign-On setup:

Molequle support will send over the CONNECTION_ID mentioned above which needs to be replaced in the Relying Party Trust wizard.

Related Articles
Connect Molequle to Microsoft Entra ID (SAML)
Did this answer your question?