This article is intended for network administrators who have experience setting up Microsoft AD FS with WS-Federation authentication. It outlines how to set up and establish a connection with Nearmap.
Setting up AD FS
Exact setup details may be slightly different for your version of AD FS.
Create a Relying Party Trust
Follow the instructions in the article Create a Relying Party Trust in the Microsoft online documentation to create a claims-aware Relying Party Trust manually, using the following notes as you go through the wizard:
- On the "Configure URL" page, select only the Enable support for the WS-Federation Passive protocol check box, and for the URL enter
https://auth.nearmap.com/login/callback - On the "Configure Identifiers" page add the identifier
urn:auth0:nearmap - Ensure that the federation metadata endpoint is enabled
- Use default values for everything else
NOTE: Unlike other IdPs, you don't need to enter the Connection ID you set up in MyAccount.
The metadata URL to enter in MyAccount will usually be: https://<My ADFS Domain>/federationmetadata/2007-06/federationmetadata.xml
where <My ADFS Domain> is the domain of your AD FS server.
Configure the Claim Issuance Policy
Configure the Claim Issuance Policy for the Relying Party Trust created above:
- Add a rule using the template "Send LDAP Attributes as Claims", for attributes from Active Directory store.
- Add the following mappings from LDAP attribute to outgoing claim type:
- E-Mail-Addresses - E-Mail Address
- User-Principal-Name - Name ID
- For Just-in-time provisioning, use the drop down list to add the following mappings from LDAP attribute to outgoing claim types:
- Given-Name - Given Name
- Surname - Surname
- You can optionally map other LDAP attributes in your Active Directory to the following custom outgoing claim types:
urn:nearmap:claims/phone urn:nearmap:claims/mobile_phoneurn:nearmap:claims/job_title(preferred) or urn:nearmap:claims/titleurn:nearmap:claims/org_unit - this can be department, division, region, etc.
Changes made in your user directory after Just-in-Time provisioning will not be updated in MyAccount. Similarly, changes made in MyAccount will not be updated in your user directory.
