Install using the Custom ADFS profile

In LifeCycle Manager, select Actions > Install Product.

From the list, select the product Infor SAML Session Provider <version>. Click Next.

On the Host selection window, select the grid host where you want to deploy the SAML Session Provider 1.13. Select Custom ADFS as the installation profile, and click Next.

If a SAML router already exists, you will be asked if you want to reuse that router. If no SAML router exists, on the Router properties window, define the properties for the router to be used by the session provider and for any additional endpoint addresses and click Next:

External Router Address

The external address for the router.

Router IP Address

The external IP address of the router.

Router HTTP port

The HTTP port for the router. The installation provides the next highest available ports as a suggestion for this field and the next field.

Router HTTPS port

The HTTPS port for the router.

Restrict SYSTEM access

Select this check box to publish all applications except the Grid Management Pages via the SAML Router. Select this option if management of the grid is authenticated with a client certificate.

Additional ACS endpoints

If load balancers or proxies are placed in front of the Grid, the SAML Session Provider needs to publish endpoints for those addresses.

Write one entry per row in the format fqdn:port. The first entry will be configured as the Logout Endpoint, and will be used to form the Entity ID for the SAML Session Provider (to be used in IFS and AD FS). If nothing is added here, all login and logout endpoints are based on the SAML router properties defined above.

Exclude Router ACS

Select this check box to create Assertion Consumer Services for the Additional ACS endpoints only. No ACS value will be created based on the SAML Router properties. Select this option if all SAML authentication should pass via the load balancer - that is, no direct access to grid routers by end users.

On the Session Provider Properties window, define the following and click Next:

IdP FQDN: The fully qualified domain name of the AD FS server.
IdP http port: The HTTP port of the AD FS endpoint.
IdP https port: The SSL port of the AD FS endpoint.
Metadata URI: Provide the URI to the federation metadata. The default AD FS value is /FederationMetadata/2007-06/FederationMetadata.xml. The URI can found in the AD FS management console: expand "Service">"Endpoints". In the Metadata section, find the URL Path for the Federation Metadata.

The Secondary Identity Provider properties are only applicable in cloud scenarios.

After you click Next, the installer will get the SSL certificates from the AD FS server and you will have to confirm them before continuing. The installer will retrieve the AD FS metadata and parse it for suggested values for a later installation step.

On the IFS Properties window, define the following and click Next:

IFS admin user: Provide the name for a domain user that has the IFSApplicationAdmin and AttributeServiceCaller IFS Security Roles. The username must be in the domain\uid format. This should be a service user with a password that does not expire - otherwise, the password must be kept up-to-date. This user is used for authenticating IFS web service calls, both during installation and at runtime.
IFS admin password: Provide the password for the domain user from the previous field.
Server administrator: This property cannot be used with LTR or Infor OS, only with older IFS versions. If User Access Control (UAC) is activated on the IFS server, the local administrator account must be provided in order for IFS to be able to push the SAML Session Provider configuration to AD FS.
Server admin password: This property cannot be used with LTR or Infor OS, only with older IFS versions. Provide the password for the server administrator user from the previous field.
IFS FQDN: Specify the FQDN for IFS.
IFS HTTP port: Specify the HTTP port for reaching IFS.
IFS HTTPS port: Specify the HTTPS port for reaching IFS.

After you click Next, the entity ID for the SAML Session Provider generated after step 4 is validated against IFS. If the entity ID already exists as an application, you will have to confirm that you want to overwrite the existing application in IFS.

Review the fields on the SAML Properties window, specifically these properties:

Identity Claim name: Change the value to http://schemas.infor.com/claims/Person

Note: This value should be used for M3.
Requested Authn Context: Define the preferred method of authenticating to AD FS. For further information regarding this property, see SAML Authentication Request approved authentication methods.
Authn Context Comparison: Define the way to interpret the Requested Authn Context scope. For further information regarding this property, see SAML Authentication Request approved authentication methods.

Note: These properties are used by the SAML Session Provider when communicating with AD FS and also define the endpoints the SAML Session Provider will provide for logging in and logging out. The suggested values are based on the AD FS metadata provided in previous steps.

Review the values on the Summary window and click Finish to start the installation.

For LTR or Infor OS, activate the application manually in LTR or Infor OS Manager. See "Completing claims-based authentication configuration" in Infor Local Technology Runtime or Infor OS Installation Guide.

Open LTR or Infor OS Manager for the correct farm.
Select Applications.
Identify the application corresponding to your SAML Session Provider installation, on the format urn:<SAML router FQDN>_<SAML router https port>.
Click Download for this application to save a powershell script.
Run the script on the AD FS server.

See AD FS server configuration in Infor Local Technology Runtime or Infor OS Installation Guide.

Continue with the procedure Add Assertion Consumer Service endpoint to AD FS.