Installing the SAML Session Provider using the Custom ADFS profile

  1. In LifeCycle Manager, select Actions > Install Product.
  2. From the list, select the product Infor SAML Session Provider <version>. Click Next.
  3. On the Host selection window, select the grid host you want to deploy the SAML Session Provider to. Select "Custom ADFS" as the installation profile, and click Next.
  4. If a SAML router already exists, you will be asked if you want to reuse that router. If no SAML router exists, on the Router properties window, define the properties for the router to be used by the session provider and for any additional endpoint addresses and click Next:
    External Router Address

    The external address for the router.

    Router IP Address

    The external IP address of the router.

    Router HTTP port

    The HTTP port for the router. The installation provides the next highest available ports as a suggestion for this field and the next field.

    Router HTTPS port

    The HTTPS port for the router.

    Restrict SYSTEM access

    Select this check box to publish all applications except the Grid Management Pages via the SAML Router. Select this option if management of the grid is authenticated with a client certificate.

    Additional ACS endpoints

    If load balancers or proxies are placed in front of the Grid, the SAML Session Provider needs to publish endpoints for those addresses, as described in Configuring Login and Logout Endpoints.

    Write one entry per row in the format fqdn:port. The first entry will be configured as the Logout Endpoint, and will be used to form the Entity ID for the SAML Session Provider (to be used in IFS and AD FS). If nothing is added here, all login and logout endpoints are based on the SAML router properties defined above.

    Exclude Router ACS

    Select this check box to create Assertion Consumer Services for the Additional ACS endpoints only. No ACS value will be created based on the SAML Router properties. Select this option if all SAML authentication should pass via the load balancer - that is, no direct access to grid routers by end users.

  5. On the Session Provider Properties window, define the following and click Next:
    IdP FQDN

    The fully qualified domain name of the AD FS server.

    IdP http port

    The HTTP port of the AD FS endpoint.

    IdP https port

    The SSL port of the AD FS endpoint.

    Metadata URI

    Provide the URI to the federation metadata. The default AD FS value is /FederationMetadata/2007-06/FederationMetadata.xml. The URI can found in the AD FS management console: expand "Service">"Endpoints". In the Metadata section, find the URL Path for the Federation Metadata.

    The Secondary Identity Provider properties are only applicable in cloud scenarios.

    After you click Next, the installer will get the SSL certificates from the AD FS server and you will have to confirm them before continuing. The installer will retrieve the AD FS metadata and parse it for suggested values for a later installation step.

  6. On the IFS Properties window, define the following and click Next:
    IFS admin user

    Provide the name for a domain user that has the IFSApplicationAdmin and AttributeServiceCaller IFS Security Roles. The username must be in the domain\uid format. This should be a service user with a password that does not expire - otherwise, the password must be kept up-to-date. This user is used for authenticating IFS web service calls, both during installation and at runtime.

    IFS admin password

    Provide the password for the domain user from the previous field.

    Server administrator

    This property can not be used with Xi Platform, only with older IFS versions. If User Access Control (UAC) is activated on the IFS server, the local administrator account must be provided in order for IFS to be able to push the SAML Session Provider configuration to AD FS.

    Server admin password

    This property can not be used with Xi Platform, only with older IFS versions. Provide the password for the server administrator user from the previous field.

    IFS FQDN

    Specify the FQDN for IFS.

    IFS HTTP port

    Specify the HTTP port for reaching IFS.

    IFS HTTPS port

    Specify the HTTPS port for reaching IFS.

    After you click Next, the entity ID for the SAML Session Provider generated after step 4 is validated against IFS. If the entity ID already exists as an application, you will have to confirm that you want to overwrite the existing application in IFS.

  7. In the SAML Properties window, configure Identity Claim name, and click Next.
    Identity Claim name

    Change the value to http://schemas.infor.com/claims/Person

  8. Review the values on the Summary window and click Finish to start the installation.
  9. The application must now be activated manually in the Xi Platform Manager. To do this, follow these actions. For more information, see "Completing claims-based authentication configuration" in Infor Xi Platform Installation Guide.
    1. Open Xi Platform Manager for the correct farm.
    2. Select Applications.
    3. Identify the application corresponding to your SAML Session Provider installation, on the format urn:<SAML router FQDN>_<SAML router https port>.
    4. Click the download link for this application to save a powershell script.
    5. Run the script on the AD FS server.

      See "AD FS server configuration" in Infor Xi Platform Installation Guide.

  10. Continue with the procedure "Add Assertion Consumer Service endpoint to AD FS".