Make sure to read System Requirements prior to proceeding
¶ Choose your package
SystoLOCK provides two modules for AD FS integration: AD FS Adapter and AD FS Identity provider. There is a difference in how they handle SAML and in compatibility with AD FS releases. AD FS Adapter only works on Windows Server 2019 and up, while the Identity Provider is also compatible with earlier versions of AD FS, but relies on IIS being installed.
Also, if you plan to use applications with compartmentalized logins that require specific authentication context, such as Microsoft Office 365 Apps for mobile and Windows and similar, AD FS Adapter is most likely not the right choice and you should go for the Identity Provider.
You can install both AD FS Adapter and AD FS Identity Provider on the same machine and configure their usage differentiation via ADFS policies.
¶ Install the Binaries
- Obtain the latest MSI package for the Adapter or Identity Provider
- Locate your server with AD FS role installed
- Make sure your AD FS role properly configured
- For the Identity Provider, make sure IIS is installed alongside AD FS and the site you are going to use is configured for HTTPS
- Make sure you belong to Local
Administratorsgroup - Start the installation by invoking the corresponding package
- Observe any error message the installer my yield.
- Repeat on every AD FS server in AD FS farm, if any.
¶ Post-installation Tasks
Both packages require configuration and fine tuning after installation.
¶ AD FS Adapter
The installer adds SystoLOCK to both Internet and Intranet groups of policies on AD FS server and opens AD FS management console upon completion:
Please, review the settings for primary extranet and intranet authentication settings and change them according to you requirements. Restart AD FS service after making any changes to the policies.
¶ AD FS Identity Provider
- Configure your IIS site properly, configure an SSL binding and test its accessibility over HTTPS.
- Open an elevated PowerShell console and navigate to
C:\Program Files\Systola\SystoLOCK\Identity Provider\Scripts. - Obtain your server's FQDN as seen from AD FS and make sure it is listed in the SSL certificate bound to the site.
- Obtain the thumbprint of a trusted certificate installed on the server, for example, by issuing the following command:
ls Cert:\LocalMachine\My - If you have sites other than default running with your IIS installtion, determine the site you want to install the Identity Provider into and whether you want it to be run from the root of the site or from a virtual subdirectory. The next example assumes the default site and running from root of the site.
- Configure the Identity Provider by issuing the following command:
.\Install-SystoLockIdp.ps1 -DefaultSite -InstallInRoot -SigningCertificate <Thumbprint from above> -WebFQDN <FQDN from above>. - Observe any errors, correct them and repeat the script as necessary. Issue
Get-Help .\Install-SystoLockIdp.ps1to learn about the different options and their usage and also how to install into other sites and paths. - If you later need to update your settings, you may run the script again, supplying only the parameters that have changed.