AD FS Single Sign-On

Active Directory Federation Services (AD FS) is a software component to provide single sign-on (SSO) authorization services to users. This feature enables users to access multiple applications on the server. If the user is already authenticated, then there is no need to enter credentials more than once.

For example, a user who is already logged in to the Lexmark Management Console (LMC) no longer needs to provide credentials to log in to Lexmark Print Management Console and vice-versa.

Configuring AD FS server

For LMC, when creating a client-server application, use application type, Web browser accessing a web application.

Make sure to add the following:

• Redirect URI—https://<load-balancer-hostname-or-ipaddress>/lmc/login/oauth2/code/adfs

• Logout URI—https:/</load-balancer-hostname-or-ipaddress>/lmc/lmc-logout.do

For LPM, when creating a client-server application, use application type, Native application or Native application accessing a web API.

Make sure to add the following:

• Redirect URI—https://<load-balancer-hostname-or-ipaddress>/printrelease/callback.html

• Logout URI—https:/</load-balancer-hostname-or-ipaddress>//printrelease/logout.html

Updating Apache Configuration

1. Open Windows Explorer.

2. Navigate to <LDD-install-path>/Apache2/conf.

3. Edit httpd-lpm-csp.conf.

4. From the Location /printrelease/ block, append the following before the closing double quotes (replace the value of <adfs-server-address>):

   frame-ancestors 'self' https://<adfs-server-address>/;

5. Add the following at the end of the file (replace the value of <adfs-server-address>):

   <Location ~ "^/lmc/(.*)">

   Header set Content-Security-Policy "frame-ancestors 'self' https://<adfs-server-address>/;"

   </Location>

6. Save the file.

7. Restart Apache2.4 service.

Configuring AD FS login

1. On the upper-right corner of Print Management Console, click .

2. Click Login.

3. From the Type menu, select AD FS SSO.

4. In the Login Group text field, type the name of the Active Directory or LDAP group that is provided with administrator access or privilege to Print Management Console.

   Note: If the user logging in is a member of the Login Group, the user will have administrator access or else the user is redirected to the user portal.

5. Click Save Changes.

Note: When AD FS SSO login type is enabled, user will be redirected to the AD FS Logout screen after logging out. You must navigate to Print Management Console URL to log in again.

Print Management Console Settings

1. Click on the upper-right corner of Print Management Console.

2. Configure the AD FS and LDAP server settings:

   For AD FS Settings:

   1. Type the address of the AD FS server.

   2. Import the SSL certificate for LPM to communicate to the AD FS server.

   3. Type the client ID.

   4. Type the client secret.

      Note: This is not a mandatory field.

   5. Type the scope of the client.

      Note: The default value is openid.

   6. Click Save Changes.

   For LDAP Settings:

   1. Click Add.

      Note: If there is no existing LDAP entry which is the Active Directory pointed to by the AD FS, then configure the server details.

   2. Configure the server details.

      Note: In the LDAP settings, add the Active Directory pointed to by the AD FS.

   3. Click Save Changes.