This section provides information on configuring Microsoft AD FS for federation with Lexmark Print Management. Learn how to create a security token with the required claims for a resource provider.
This document provides information on configuring the Security Assertion Markup Language (SAML) version 2. If a particular configuration is not covered in this document, then contact the Lexmark Professional Services team.
Before you begin, make sure that:
The steps in this document are performed on an Active Directory server in a domain.
The server is Microsoft Windows Server 2016 with the latest service pack.
The server has a server certificate and the AD FS role is installed.
From the AD FS server, click Tools > AD FS Management.
Click the service folder, and then from the Actions panel, click Edit Federation Service Properties.
Type a federation service display name, and then set the Federation Service name to the fully qualified domain name of your server.
In the Federation Service identifier field, type the correct identifier. For example,
.Notes:
From the AD FS server, click Tools > AD FS Management.
Expand the Trust Relationships folder, and then click the Relying Party Trusts folder.
From the Actions panel, click Add Relying Party Trusts.
Click Claims aware > Start > Enter data about the relying party manually > Next.
Type a display name, and then click Next.
From the Configure Certificate window, click Next.
Select Enable support for the SAML 2.0 WebSSO protocol, type the relying-party SAML 2.0 service URL, and then click Next.
Depending on your location, the following are examples of relying-party service URLs:
https://idp.us.iss.lexmark.com/users/auth/saml/callback?organization_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX
https://idp.eu.iss.lexmark.com/users/auth/saml/callback?organization_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX
Type the replying-party trust identifier, and then click Add > Next.
Depending on your location, the following are examples of relying-party trust identifiers:
https://idp.us.iss.lexmark.com
https://idp.eu.iss.lexmark.com
From the Choose Access Control Policy window, select Permit everyone or the specific access control policy for your organization, and then click Next.
Review the relying-party trust settings, and then click Next.
Clear Configure claims issuance policy for this application, and then click Close.
From the AD FS management console, click the Relying Party Trusts folder, right-click the created relying-party trust, and then click Properties.
Click the Advanced tab, and then select SHA-1 as the secure hash algorithm.
Click the Endpoints tab, and then select Add SAML as the secure hash algorithm.
Select SAML Logout as the endpoint type, and then in the Trusted URL field, type the trusted sign-out URL of your AD FS server. For example,
.Click OK > Apply > OK.
From the AD FS server, click Tools > AD FS Management.
Click the Relying Party Trusts folder, right-click the created relying-party trust identifier, and then click Edit Claim Issuance Policy.
From the Issuance Transform Rules tab, click Add Rule.
From the Claim rule template menu, select Send LDAP Attributes as Claims, and then click Next.
Type a claim rule name, and then from the Attribute store menu, select Active Directory.
Define the following mappings:
LDAP attribute | Outgoing claim type |
---|---|
E-Mail-Addresses | E-Mail Address |
User-Principal-Name | UPN |
Given-Name | Given Name |
Surname | Surname |
Department | department |
<Attribute that maps to badge> | badge |
<Attribute that maps to pin> | pin |
<Attribute that maps to cost center> | costCenter |
Click OK > Finish.
From the Issuance Transform Rules tab, click Add Rule.
From the Claim rule template menu, select Transform an Incoming Claim, and then click Next.
Type a claim rule name, and then from the Incoming claim type menu, select E-Mail Address.
From the Outgoing claim type menu, select Name ID.
From the Outgoing name ID format menu, select Email.
Click Finish > OK.
From the Account Management web portal, click Organization > Authentication Provider > Configure an Authentication Provider.
From the Domains section, type the domain of the identity provider, and then click Add.
From the Authentication Provider Type menu, select SAML.
From the SAML Authentication Provider section, select Without Metadata URL.
From the Single Sign-On Settings section, type the correct URLs in the following fields:
SSO target URL
SSO Logout URL
Notes:
From the SSO name identifier format menu, select E-mail address.
In the Certificate field, copy and paste the base-64 certificate key from the token signing certificate of the identity provider.
Click Save Changes.
From the AD FS server, click Tools > AD FS Management.
Expand the Service folder, and then click the Certificates folder.
Locate the token-signing certificate.
From the Actions panel, click View Certificate.
From the Details tab, click Copy to File, and then follow the wizard.
From the Export File Format screen, select Base-64 encoded X.509 (.CER).
Save the certificate.
Before you begin, make sure that the Active Directory users are configured with an e-mail account.
From the Active Directory server, launch the Active Directory Users and Computers panel.
Locate the specific user's account properties.
From the General tab, specify the e-mail address with the correct company domain.
Click OK.
Make sure that the users are also configured with the following LDAP attributes:
UPN
Given-Name
Surname
Department
Badge
PIN
Cost Center
Access Lexmark Cloud Services using the correct URL that is provided by your Lexmark representative.
From the identity provider, type your user name and password.