Configuring AD FS overview

This section provides information on configuring Microsoft AD FS for federation with Lexmark Print Management. Learn how to create a security token with the required claims for a resource provider.

This document provides information on configuring the Security Assertion Markup Language (SAML) version 2. If a particular configuration is not covered in this document, then contact the Lexmark Professional Services team.

Prerequisites

Before you begin, make sure that:

• The steps in this document are performed on an Active Directory server in a domain.

• The server is Microsoft Windows Server 2016 with the latest service pack.

• The server has a server certificate and the AD FS role is installed.

  Note: Select the server certificate, and then specify a service account when installing the AD FS role.

Configuring the federation identifier

1. From the AD FS server, click Tools > AD FS Management.

2. Click the service folder, and then from the Actions panel, click Edit Federation Service Properties.

   

3. Type a federation service display name, and then set the Federation Service name to the fully qualified domain name of your server.

4. In the Federation Service identifier field, type the correct identifier. For example, http://ServerFQDN/adfs/services/trust.

   Notes:

   • Provide the resource provider with the federation service name. Make sure that the AD FS server is accessible from the internet.
   • For more information on installing a federation server proxy, see the Microsoft documentation.
   • For more information on configuring the federation server proxy role, see the Microsoft documentation.

Configuring relying-party trust identifiers

1. From the AD FS server, click Tools > AD FS Management.

2. Expand the Trust Relationships folder, and then click the Relying Party Trusts folder.

3. From the Actions panel, click Add Relying Party Trusts.

4. Click Claims aware > Start > Enter data about the relying party manually > Next.

5. Type a display name, and then click Next.

6. From the Configure Certificate window, click Next.

7. Select Enable support for the SAML 2.0 WebSSO protocol, type the relying-party SAML 2.0 service URL, and then click Next.

   Note: Obtain the organization ID from the resource provider.

   Depending on your location, the following are examples of relying-party service URLs:

   • https://idp.us.iss.lexmark.com/users/auth/saml/callback?organization_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX

   • https://idp.eu.iss.lexmark.com/users/auth/saml/callback?organization_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX

8. Type the replying-party trust identifier, and then click Add > Next.

   
   Note: Obtain the relying-party trust identifier from the resource provider.

   Depending on your location, the following are examples of relying-party trust identifiers:

   • https://idp.us.iss.lexmark.com

   • https://idp.eu.iss.lexmark.com

   

9. From the Choose Access Control Policy window, select Permit everyone or the specific access control policy for your organization, and then click Next.

10. Review the relying-party trust settings, and then click Next.

11. Clear Configure claims issuance policy for this application, and then click Close.

12. From the AD FS management console, click the Relying Party Trusts folder, right-click the created relying-party trust, and then click Properties.

13. Click the Advanced tab, and then select SHA-1 as the secure hash algorithm.

    

14. Click the Endpoints tab, and then select Add SAML as the secure hash algorithm.

    

15. Select SAML Logout as the endpoint type, and then in the Trusted URL field, type the trusted sign-out URL of your AD FS server. For example, https://ServerFQDN/adfs/ls/?wa=wsignout1.0.

16. Click OK > Apply > OK.

Configuring AD FS claims rules

1. From the AD FS server, click Tools > AD FS Management.

2. Click the Relying Party Trusts folder, right-click the created relying-party trust identifier, and then click Edit Claim Issuance Policy.

3. From the Issuance Transform Rules tab, click Add Rule.

4. From the Claim rule template menu, select Send LDAP Attributes as Claims, and then click Next.

   

5. Type a claim rule name, and then from the Attribute store menu, select Active Directory.

   

6. Define the following mappings:

   LDAP attribute	Outgoing claim type
   E-Mail-Addresses	E-Mail Address
   User-Principal-Name	UPN
   Given-Name	Given Name
   Surname	Surname
   Department	department
   <Attribute that maps to badge>	badge
   <Attribute that maps to pin>	pin
   <Attribute that maps to cost center>	costCenter

   
   
   Note: Replace <Attribute that maps to> with the correct LDAP attribute for your organization.

7. Click OK > Finish.

8. From the Issuance Transform Rules tab, click Add Rule.

9. From the Claim rule template menu, select Transform an Incoming Claim, and then click Next.

10. Type a claim rule name, and then from the Incoming claim type menu, select E-Mail Address.

11. From the Outgoing claim type menu, select Name ID.

12. From the Outgoing name ID format menu, select Email.

13. Click Finish > OK.

Configuring the resource provider

1. From the Account Management web portal, click Organization > Authentication Provider > Configure an Authentication Provider.

   

2. From the Domains section, type the domain of the identity provider, and then click Add.

   

3. From the Authentication Provider Type menu, select SAML.

4. From the SAML Authentication Provider section, select Without Metadata URL.

5. From the Single Sign-On Settings section, type the correct URLs in the following fields:

   • SSO target URL

   • SSO Logout URL

   

   Notes:

   • Use the correct fully qualified domain name.
   • Depending on your location, the entity ID must be https://idp.us.iss.lexmark.com or https://idp.eu.iss.lexmark.com.

6. From the SSO name identifier format menu, select E-mail address.

7. In the Certificate field, copy and paste the base-64 certificate key from the token signing certificate of the identity provider.

   
   Note: For more information, see Obtaining the token-signing certificate.

8. Click Save Changes.

Obtaining the token-signing certificate

1. From the AD FS server, click Tools > AD FS Management.

2. Expand the Service folder, and then click the Certificates folder.

3. Locate the token-signing certificate.

4. From the Actions panel, click View Certificate.

5. From the Details tab, click Copy to File, and then follow the wizard.

6. From the Export File Format screen, select Base-64 encoded X.509 (.CER).

   

7. Save the certificate.

Configuring user roles in Active Directory

Before you begin, make sure that the Active Directory users are configured with an e-mail account.

1. From the Active Directory server, launch the Active Directory Users and Computers panel.

2. Locate the specific user's account properties.

3. From the General tab, specify the e-mail address with the correct company domain.

   

4. Click OK.

Make sure that the users are also configured with the following LDAP attributes:

• UPN

• Given-Name

• Surname

• Department

• Badge

• PIN

• Cost Center

Accessing Lexmark Cloud Services

1. Access Lexmark Cloud Services using the correct URL that is provided by your Lexmark representative.

   

2. From the identity provider, type your user name and password.

   
   Note: The user name must be your full e-mail address. For more information, see Accessing the Lexmark Cloud Services dashboard.