Sitrion ONE offers an Active Directory Integration mode that will allow a company to use their existing security infrastructure to authenticate users for mobile consumption. Using this mode, a lot of administrative work can be avoided in comparison to using the Sitrion Authentication. Users will be provisioned for the platform based on their Active Directory credentials and there is no need to configure users via the management portal.
In order to use the Active Directory Integration Mode, your company needs an Active Directory and must have the Active Directory Federation Service (ADFS v2) installed. ADFS is supported on Windows Server 2003 and higher.
The ADFS server needs to be accessed via internet. Microsoft offers a special proxy for ADFS to more easily enable this scenario. More information on this topic can be found in the Microsoft documentation.
In order to use Active Directory Integration mode, a trust relationship must be created between the Sitrion Azure Access Control service and the customers ADFS server. This process can be performed with the help of a technical fellow from Sitrion.
In the ADFS configuration, add a Relaying Party Trust and load the metadata from:
This will automatically import the required certificates onto the machine that runs the ADFS server. Afterwards, click on the newly created relaying party and right click -> Edit Claim Rules.
On the dialog, click on Add claim rule and select “Send LDAP Attributes as Claims” from the dropdown
list. Create the mapping as it is shown in the following screenshot
Click OK to create the rule.
Sitrion is responsible to setup the corresponding rules in the Sitrion Access Control Service. After that, users should be transferred to the login page of the ADFS and backend systems can then be configured to use SSO (see “Connection from the Hub Service to SAP / SharePoint”).
By using the AD integration mode, the customer has complete control over the authentication method that is used. It can be customized to support more than one authentication method. Additional authentication types include client certificates, RSA token, Third Party authentication providers, but are not limited to these.
Customizing the Login Experience
The ADFS server provides the login pages that the end users will see on their device. These pages are simple ASP.NET pages that can be customized to render better on a mobile device. With the help of media queries, a device dependent rendering of the login process can be created