Symantec Mobility Suite can be configured to use Active Directory Federation Services (ADFS) as a SAML external identity provider (IDP). The following instructions outline how to configure ADFS as a SAML IDP.
Pre-requisite: The End-User Portal should be enabled in Mobility Suite. First, enable the Enhanced Store in the Admin console, access: Settings > Mobility Manager configuration > Enhanced Store. Second, access: Settings > Mobility Manager configuration > End-User Portal, and enable: Users can browse apps in a web browser on their computer
Install and configure ADFS 2.0 on a Windows server, accessible by the Mobility server. Ensure IIS is properly configured for SSL:
Once ADFS is set up, and accessible via SSL from the Mobility server, in the Mobility Admin console console access: Settings > External IDP > Server Configuration
For the Type field, select: SAML. for Name, enter an appropriate name, for both the SP Partner ID and SP Entity ID fields, enter the Mobility server's / tenant's full URL (e.g. https://appcenter.company.com)
Select Download SP Metadata File, which downloads an XML file to be imported into ADFS. Make this file accessible by the ADFS server
On the ADFS server, open the AD FS 2.0 Management console
Access: AD FS 2.0 > Trust Relationships > Relying Party Trusts, and select: Add Relying Party Trust...
Under Select Data Source, choose: Import data about a relying party from a file, and browse to the SP metadata XML file downloaded from Mobilty Suite, then Next >
Under Specify Display Name, for the Display name field, enter the FQDN of the Mobility server / tenant (e.g. appcenter.company.com), then Next >
Under Choose Issuance Authorization Rules, choose: Permit all users to access this relying party, then Next >
Under Ready to Add Trust, choose Next >
Under Finish, leave Open the Edit Claim Rules... checkbox enabled, then Close
In the Edit Claim Rules dialogue-box, under Issuance Transform Rules, select Add Rule...
Under Choose Rule Type, for Claim rule template, choose: Send LDAP Attributes as Claims, then Next >
Under Configure Claim Rule, for Claim rule name, enter: LDAP attribute mappings (or similar), for Attribute store, choose: Active Directory, and add the following 4 attribute mappings, then Finish:
E-Mail-Addresses > E-Mail Address Given-Name > Given Name Surname > Surname Token-Groups - Qualified by Domain Name > Group
Add another claim rule by choosing: Add Rule..., under Choose Rule Type, for Claim rule template, choose: Send Claims Using a Custom Rule, then Next >
Under Configure Claim Rule, for Claim rule name, enter: TransientName, for Custom rule, enter the following text, then Finish:
Add a 3rd, and final claim rule, under Choose Rule Type, for Claim rule template, choose: Transform an Incoming Claim, then Next >
Under Configure Claim Rule, for Claim rule name, enter: TransientNameID, for Incoming claim type, choose: Windows account name, for Outgoing claim type, choose: Name ID, for Outgoing name ID format, choose: Transient Identifier, choose Pass through all claim values, Finish, then OK to close the Edit Claim Rules... window
Download the federation metadata XML file by access the following URL (replacing [ADFS server name] with the actual name of the ADFS server):
https://[ADFS server name]/federationmetadata/2007-06/federationmetadata.xml
Return to the Mobility admin console, access: Settings > External IDP > Configure IDP, under Server Configuration for IDP Metadata, choose Upload IDP Metadata and select the federation metadata XML file from above, then Save
Map the attributes as follows (for example), then Save:
Username Attribute > (either: .../emailaddress or .../windowsaccountname) First Name Attribute > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Last Name Attribute > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Email Attribute > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Group Attribute > http://schemas.xmlsoap.org/claims/Group
Access Settings > External IDP > Group Mappings, and add a Group Mapping for each Mobility group (i.e. a corresponding Security Group in Active Directory), then Save
Note: The Group Search Criteria accepts the following format: [domain]\[group_name]
Note: Group Mapping with SAML is only supported in App Center / Mobility Suite version 4.1.8 and greater
Access: Settings > External IDP, and choose: Enable IDP
The Mobility server / tenant will now use ADFS for SAML authentication, for both console and Work Hub Agent access
Note: To bypass SAML authentication and log into the console as a local administrator account, access the console via the following URL:
https://[Mobility server FQDN]/admin/login
Imported Document ID: HOWTO84940
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.