Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.abbyy.com/llms.txt

Use this file to discover all available pages before exploring further.

Prerequisites

  • Ensure that you have a Vantage tenant identifier before configuring identities. To get a tenant identifier, click Configuration in ABBYY Vantage. The identifier is on the General tab.
  • Create a Redirect URI to receive the authentication responses. The URI is:
    https://<your-vantage-url>/auth2/Saml2/Acs

Setup

The setup process consists of the following steps:

Adding a claim description

1

Open the management console

Open the AD FS management console.
2

Open Add Claim Description

Select Service > Claim Descriptions, then click Add Claim Description.
3

Fill in the claim description

Specify the following:
  • Display name — for example, Persistent Identifier.
  • Claim typeurn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
  • Select Publish this claim description in federation metadata as a claim type that this federation service can accept.
  • Select Publish this claim description in federation metadata as a claim type that this federation service can send.
AD FS Add Claim Description dialog with display name and Persistent Identifier claim type fields
4

Confirm

Click OK.
Now you can control how user attributes are mapped between different systems.

Configuring a relying party trust

To create an AD FS relying party trust, follow these steps:
1

Add a Relying Party Trust

In the console tree, under AD FS, select Trust Relationships > Relying Party Trusts > Add Relying Party Trust.
2

Start the wizard

On the Welcome page, choose Claims aware and click Start.
3

Select the data source

On the Select Data Source page, select Enter data about the relying party manually, then click Next.
4

Specify a display name

On the Specify Display Name page, enter any name in Display Name, then click Next.
5

Choose the profile

On the Choose Profile page, select the AD FS 2.0 profile, then click Next.
6

Configure the certificate

On the Configure Certificate page, click Next.
7

Configure the URL

On the Configure URL page, select Enable support for the SAML 2.0 WebSSO protocol. Under Relying party SAML 2.0 SSO service URL, enter https://<your-vantage-url>/auth2/Saml2/Acs, then click Next.
8

Configure identities

  • Under Relying party trust identifier, enter api://platform.abbyy.cloud/tenantId, where tenantId is the tenant identifier in GUID format without hyphens (for example, 117489fc1aea41658369d4d18d6557ga). This value will be used as the Application ID URI for authentication. Copy this value — you’ll need it when configuring the External Identity Provider in Vantage. Click Add.
  • In the Expose an API tab, set the Application ID URI to the same value you entered above (for example, api://cccc3333-dddd-4444-eeee-5555ffff6666). Click Add, then click Next.
9

Choose Issuance Authorization Rules

To grant Vantage access to all users, select Permit all users to access this relying party. To restrict access to a specific group, select Permit specific group and specify the group. Click Next.
10

Add the trust

On the Ready to Add Trust page, review the settings. Click Next, then click Close.
A trust relationship between an Identity Provider and ABBYY Vantage is established.

Adding rules to transform an incoming claim

To apply rules to transform an incoming claim, follow these steps:
1

Open Relying Party Trusts

Click Relying Party Trusts.
2

Edit the Claim Issuance Policy

Right-click the selected trust, then click Edit Claim Issuance Policy.
3

Add a rule

In the Edit Claim Issuance Policy for <name> window, click Add Rule.
AD FS Edit Claim Issuance Policy dialog with Add Rule button for SAML claim rules
4

Select the rule template

Select the Transform an Incoming Claim claim rule template, then click Next.
AD FS Add Transform Claim Rule wizard with Transform an Incoming Claim template selected
5

Configure the claim rule

Select the Configure Claim Rule step, then specify the following:
  • Claim rule nameTransformWindows account name.
  • Incoming claim typeWindows account name.
  • Outgoing claim typeName ID.
  • Outgoing name ID formatPersistent Identifier.
  • Select Pass through all claim values.
AD FS Configure Claim Rule step with Windows account name as incoming claim and Persistent Identifier as outgoing format
6

Finish the first rule

Click Finish.
7

Add a Send LDAP Attributes rule

Add another rule to ensure email and name claims are included in the issued token. On the Select Rule Template page, select Send LDAP Attributes as Claims under Claim rule template, then click Next.
AD FS Add Transform Claim Rule wizard with Send LDAP Attributes as Claims template selected
8

Configure the LDAP rule

On the Configure Claim Rule page, select the Active Directory attribute store under Claim rule name, then click Finish.
AD FS Configure Claim Rule with Active Directory attribute store and email and name LDAP attribute mappings
9

Verify the rules

The added rules are displayed in the Edit Claim Rules dialog.
AD FS Edit Claim Rules dialog showing both Persistent Identifier and Send LDAP Attributes as Claims rules

Next steps

Once AD FS is configured, connect it to your Vantage tenant. You’ll need the federation metadata document URL in the format https://<adfs-server-address>/federationmetadata/2007-06/federationmetadata.xml — for example, https://adfs.platform.local/federationmetadata/2007-06/federationmetadata.xml. For the Vantage-side setup, see Setting up an External Identity Provider for a tenant.

Configuring a SAML 2.0 External Identity Provider

Overview of SAML 2.0 setup for AD FS or Azure AD

Azure Active Directory as a SAML 2.0 External Identity Provider

Configure Azure AD instead of on-premises AD FS

Setting up an External Identity Provider for a tenant

Connect AD FS to your Vantage tenant

Testing external authentication

Verify the External Identity Provider before users sign in