Step-by-Step Procedure: Installing and Configuring ADFS 2.0 to work with Zoho Vault

This document contains the steps for installing and configuring AD FS 2.0 to work with Zoho Vault.

ADFS 2.0 Installation Procedures:

Step-1: Download and execute ADFSSetup.exe

Step-2: Click 'Next'.

Step-3: Accept the License Agreement and click 'Next.'

Step-4: Select Federation Server and click 'Next.'

Step-5: Click 'Next.'

Step-6: ‘Unselect' the check box 'Start the AD FS 2.0 ...' and then click 'Finish.'

Step-7: Navigate to the ADFS installation directory (For example, C:\Program Files\Active Directory Federation Services 2.0 directory) and edit the file “Microsoft.IdentityServer.ServiceHost.exe.config” using “Word Pad.”

Step-8: Insert a line as seen below. Save and exit the word pad

Step-9: Double click on FsConfigWizard.exe

Step-10: Select “Create a new Federation Service” and click Next

Step-11: Select “Stand-alone Federation server” and click Next

Step-12: Federation service name will be shown by default based on the SSL Certificate installed on the IIS Server. Click 'Next.'

Step-13: If “Delete database” option is shown, then “Select” it and click 'Next.'

Step-14: Click 'Next.'

Step-15: The wizard will complete the configuration as shown below.

How to run the Powershell Script for configuring AD FS 2.0?

Powershell script for configuring 2.0 is available at:

"https://www.zoho.com/vault/20616/adfsscript.ps1"

Step-1: Download the adfsscript.ps1 and save it in C:\ drive in the AD FS installation system

Step-2: Go to start menu and right click on "Command Prompt" and click "Run as Administrator."

Step-3: Type the following commands:

  • powershell
  • Set-ExecutionPolicy RemoteSigned
  • C:\adfsscript.ps1

Step-5: Make sure the PowerShell script ran successfully. Any errors encountered while running the script will be printed in "red" color in the console.

Step-6: If you are unable to set the execution policy to RemoteSigned because of domain policy, you might need to set the same policy in your Domain Controller.

Refer here on how to set the execution policy on domain controller. (http://www.techrepublic.com/blog/datacenter/set-the-powePrshell-executionpolicy-via-group-policy/3305)

After running the PowerShell script, go to Zoho Vault SAML configuration page and configure the Login URL, Logout URL, Certificate (Saved at C:\certificate.cer) and the algorithm. The above screenshot shows you the details that you need to fill.

Disabling SAML Authentication:

Super admin (usually the user who first signed up for Zoho Vault) can login to our service by visiting "www.vault.zoho.com". In the login page, instead of AD credentials, the Zoho accounts credentials can be used (the password you used when you signed up)

  • After logging in, go to Admin ---> AD/LDAP Configuration -> SAML Configuration page and delete the configuration.
  • By this way, you can disable the SAML authentication.
  • When you have imported users using the Provisioning App, you might have supplied a default password. Your organization users can use this default password to login. If they do not have a default password, they can click “Forgot Password” link in the login page to receive a mail to generate a new password.

When you import users using the Provisioning App, the application will not import any password from the AD. So the imported users will not have any password associated with them in Zoho Vault. In case you are planning to disable SAML Authentication and use Zoho Vault authentication, they will need their password to login. So they have to click "Forgot Password" link in the login page to receive a mail to generate a new password.

Authenticating external users

Since SAML Authentication works based on browser based re-direction, you will be redirected to a system in your intranet during authentication