Skip to main content

Configuring AD FS Parameters on HMP

Once the Relying Party Trust and Claim Rules have been set up, find the AD FS parameters you will need to configure SSO on HMP, summarized in the following table. See Integrating HMP with Single Sign-On (SSO) Environments for a complete description of these parameters.

OAuth 2.0WS-FederationSAML 2.0Notes
Server AddressServer AddressServer AddressRequired
Relying Party IdentifierRelying Party IdentifierRelying Party IdentifierRequired
Endpoint URL PathEndpoint URL PathEndpoint URL Path
Identity Metadata URLIdentity Metadata URLIdentity Metadata URLRequired
Token Signing CertificateToken Signing CertificateToken Signing CertificateRequired
Client ID

Required
Client Secret

Redirect URI

Required


Decryption Key

Note

You may want to keep the AD FS management snap-in open alongside a browser window with an active HMP session to make it easier to copy and paste information between the two.

  1. In the HMP web UI, under System Settings > Directory Services > Single Sign-on, enable Single Sign-On, and specify SAML2 as the Sign-in Protocol.
  2. Enter the IP address or hostname of the AD FS server.
  3. Optionally, specify a Sign-out URL. See Logout Redirect.
  4. In the AD FS management snap-in, find the Relying Party Identifier by opening the Properties window for the Relying Party Trust you defined earlier:


    Note

    Note the format of the Relying party identifier, which should be the same for all HMP servers:

    https://[HMP]/sso/callback
    where [HMP] is the hostname + domain name of the HMP server or its IP address.


  5. Ensure "Set the trusted URL as default" checkbox is enabled for the SSO endpoint:
  6. Enter the Relying party identifier (callback) URL in the corresponding field in the HMP server's Single Sign-On configuration settings:
  7. The Endpoint URL Path can be obtained from the AD FS snap-in:

    Tip

    If this is empty, HMP assumes that the default AD FS endpoint should be used (/adfs/oauth2 for OAuth, /adfs/ls for WS-Fed or SAML).

  8. The Identity Metadata URL is always hosted on the AD FS server with the same URL. For example: https://myadfs.example.com/federationmetadata/2007-06/federationmetadata.xml
  9. On HMP, you may enter a Token Signing Certificate , which comes from the primary AD FS server. You can view it from the AD FS snap-in under Service > Certificates > Token Signing (the example below is from Haivision's own AD FS server):
  10. You will need to export a copy of this certificate for HMP. Right-click on the Token-signing certificate and choose View Certificate:
  11. Under the Details tab, click Copy to File:
  12. Click Next to open the Certificate Export Wizard:
  13. Choose Base-64 encoded X.509 (.CER) as the export format:
  14. Click Next to save the certificate, and then click Finish to complete the export.
  15. Open the certificate file in a text editor:
  16. Copy the entire text and paste it into the Token Signing Certificate field in the HMP Single Sign-On settings (see screenshot in Step 6). Make sure there are no trailing spaces or blank lines.

Note

Remember to save your settings on the HMP server.

Since HMP users will be authenticated via your AD FS system, you may want to adjust your "Web SSO Lifetime" setting to control their access. The following example is from Haivision's own AD FS server.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.