H3C IMC Portal and MAC Portal ADFS Authentication Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Document version: 5W100-20250331

 

Contents

About this feature· 1

Description· 1

Usage guide· 2

Procedure· 2

Miscellaneous· 12

 

 

About this feature

The EIA component's Portal and MAC PORTAL services support logging in with AD accounts.

Description

Acronym	Full name	Explanation
AD FS	Active Directory Federation Services	Active Directory Federation Services
IdP	Identity Provider	Identity Provider
SP	Service Provider	Service Provider
SAML	Security Assertion Markup Language	Security Assertion Markup Language

 

·     The EIA server interacts with the AD FS server using the SAML 2.0 protocol.

Figure 1 Example of Interaction Process

 

Usage guide

Procedure

Configure Default Guest Service and Default Guest Administrator

1.     Add Default Guest Administrator

Click "Automation > User Services > Guest User > Guest Administrator", to enter the Guest Administrator configuration page. Set a default guest administrator.

 

2.     Add Default Guest Service

Click "Automation > User Services > Guest User > Guest Policy > Service", to enter the Guest Service configuration page. Set a default guest service.

 

SP Configure AD FS Parameters

1.     Log in to EIA, click "Automation > Access Services > Portal Page Customization" menu item, click < Third Party APP Authentication Parameter Configuration >, to enter the configuration page;

2.     In the "AD Federation Authentication &  SAML2.0 Parameter Configuration" item, fill in the relevant parameters, click < Confirm > button to save, as shown in the figure.

 

Parameters:

¡     Identity Provider Metadata: AD FS Metadata. (Generally, access https://IP:Port/FederationMetadata/2007-06/FederationMetadata.xml on the IdP server to obtain it. Here, IP is the IP address or domain name of the IdP server, and Port is its port.)

¡     Service Provider Domain Name: The domain name for accessing Portal and MAC PORTAL services, such as sp.xxxx.com. If a domain name is not provided, the browser will always prompt an HTTPS security error. For the HTTPS certificate bound to this domain name, please go to [Automation > User Services > Business Parameters > Access Parameters > HTTPS Certificate File Upload], and upload the HTTPS certificate.

¡     Server Time Error: The time difference between the SP and IdP servers. Keeping the default is sufficient.

¡     Data Signature: Whether to sign protect the data sent during authentication interaction between the SP and IdP.

¡     Signing Certificate: The digital certificate used by the SP for signing and verification of data. It must be in PEM content format.

¡     Certificate Key: The digital certificate key used by the SP for signing and verification of data. It must be in PEM content format.

 

IMPORTANT: The service provider domain name can also be replaced with an IP address, but the IP address cannot be trusted by the HTTPS protocol, so it will always prompt an HTTPS connection error, although it can still be used.

 

3.     Obtain SP Metadata

After completing parameter configuration, click the "Export Service Provider Metadata" link to obtain the SP metadata file, which is an XML format file named SP-Metadata.xml.

IdP Server Adds SP as a Trusted Party

1.     Log in to the IdP server, open "Server Management", select "Tools" > "AD FS Management", and open the ADFS management console.

 

 

2.     Add Trusted Party Trust, refer to the configuration flowchart for detailed steps.

 

Select "Start":

 

"Import Trusted Party Data from File", select the downloaded SP-Metadata.xml, click < Next >:

 

Enter "Display Name" based on actual input, click < Next >:

 

 

 

 

 

After closing, the claim rules configuration window will automatically open.

3.     Configure Claim Rules, refer to the configuration process for detailed steps.

 

 

The claim rule name is "Name ID Policy":

 

IMPORTANT: Here, SAM-Account-Name is used as the user account name, and this attribute is used to open an account in EIA. If your AD user account name is not this attribute, please choose according to the actual situation.

 

 

Double-click the just added trusted party name, open the attribute configuration, switch to the "Advanced" tab, and select the algorithm "SHA-256".

 

4.     Configure Identifier (Required).

Switch to the "Identifier" tab, fill in the "Trusted Party Identifier" as "EIA_Third_SSO_Identifier", and this value must be filled. Click < Add >.

 

5.     Add Signing Certificate (Optional).

When no signing certificate and key are configured, the exported service provider metadata SP-Metadata.xml willnot contain the signing certificate. Therefore, when the signing certificate is later configured (including modifications) in EIA, it can be manually imported on the IdP server.

In the properties tab of the trusted party added above, select the "Signing" item, click < Add >, and choose the signing certificate file to add in the pop-up file selector.

 

 

Configure ADFS Login (Taking PC Version MAC PORTAL Authentication as an Example)

1.     Log in to EIA, click "Automation > Access Services > BYOD Page Customization" menu item, enter the BYOD page customization page, click < Add > button, and add a customization page of type PC;

 

Select "AD Federation Authentication" as the authentication method:

 

Push the customized page according to the actual page push policy used.

Miscellaneous

1.     The EIA server and IdP server need to access each other's domain names normally. For example: The EIA server can access the IdP server domain name adfs.xxxx.com; the IdP server can normally access the EIA server domain name sp.xxxx.com.

2.     When the option to not sign data is selected on the EIA server, if a signing certificate was configured previously, it needs to be manually deleted on the IdP server. The steps are as follows:

In the trusted party properties, select the "Signing" tab, select the signing certificate, and click < Delete >.

 

3.     During Portal authentication, the device needs to allow access to the IdP server domain (such as adfs.xxxx.com) so that the authenticating terminal can access the IdP server.