Why use an authentication provider?
Some Interana users like to use an authentication provider instead of the standard Interana password authentication flow. The benefits of using an auth provider include exercising more control over which users in your organization can register for Interana and providing a single sign-on method for Interana and other applications you use.
Before you start...
Make sure you've spoken with your customer success manager to determine which authentication provider best fits your needs. Your CSM will also give you two pieces of information that you will need before you start: the Sign-On URL and the AppID.
Microsoft ADFS Configuration
Now you're ready to set up your ADFS application!
Create a New ADFS Application
1. Log in to the Windows Domain Controller
2. Open Start > Administrative Tools > AD FS Management
3. Click on Trust Relationships > Relying Party Trusts
4. Click Add Relying Party Trusts
5. At the Welcome screen, click Start
6. If there is a certificate, browse it
7. Leave the "Configure URL" fields empty, and click Next
8. Under Relying Party Trust Identifiers, you will need to enter two URLs that depend on the DNS of your Interana instance:
1. https://< Interana Instance DNS >/api/metadata
2. https://< Interana Instance DNS >/api/metadata/<AppID>
For example, if your Interana instance is at https://dianescoolcompany.interana.com and your AppID is adfs, you should enter:
9. Choose not to configure multi-factor authentication, then click Next
10. Select "Permit all users access to this relying party," then click Next
11. Click Next again to complete the application setup process
Now you need to add two endpoints to your new ADFS application.
1. Double-click on your new ADFS app to show its properties
2. Click on EndPoints, then click Add
3. Configure your first endpoint by setting Binding to Artifact, Index to 0, and Trusted URL to the Sign-On URL that your CSM gave you. Click OK to finish.
4. Click Add again to add a second endpoint. For this one, set Binding to POST, Index to 1, and Trusted URL to the Sign-On URL.
5. Click OK until you've closed the Properties for the new Relying Party Trusts
Edit Claim Rules
Now we need to add two claim rules to our application.
1. With your new Trust still selected, click Edit Claim Rules
2. Click Add Rule
3. The first rule we'll add is a Get-Attribute. Select "Send LDAP Membership as Claim" from the dropdown, then click Next. Next to Claim Rules, fill out the fields based on this screenshot:
4. Click Finish
5. Click Add Rule again to add the second rule
6. Under "Claim Rule Template," select "Transform an incoming claim"
7. Fill out the information according to this screenshot:
8. Click Finish
Don't forget to send us your Federation Metadata Document! Once we have that, we can get everything hooked up on our side. We will work with you to plan a time to switch over to the new authentication flow and have someone on your team validate that everything is working properly.