home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Lookout Single Sign-On With ADFS

Setting Up ADFS

  1. Create a new Service Provider trust in ADFS:
    1. Open the ADFS Management tool.
      This is typically located under Control Panel > System and Security > Administrative Tools.
    2. In the left folder list, right click Relying Party Trusts and left click Add Relying Party Trust…


      The Add Relying Party Trust Wizard appears.

    3. On the Welcome screen, click Claims aware, then click Start.
    4. On the Select Data Source screen, click Import data about the relying party from a file and upload your Lookout Service Provider metadata text file.
      This file is provided by Lookout during setup.

    5. On the Specify Display Name screen, enter a Display name, then click Next.
    6. On the Choose Access Control Policy screen, select one or more policies, then click Next.
      This configures your Relying Party with the necessary Lookout certificates and endpoints:


    7. Click Next.
    8. Click Next again, then click Finish.
      Your configuration appears in the Relying Party Trusts list.
  2. Configure and map the required Lookout attributes in the outgoing SAML assertion:
    1. Right click your Lookout configuration and click Edit Claim Issuance Policy > Add Rule.
    2. Select Send LDAP Attributes as Claims, then click Next.
    3. Name the rule lookout-ldap-attributes, then add the following attributes:


      LDAP AttributeOutgoing Claim TypeDescription
      Surname
      		 
      sn
      		The user's last name.
      Given-Name
      		 
      givenname
      		The user's first name.
      User-Principal-Name
      		 
      mail
      		The user's email.
    4. Click OK.
  3. Configure the Lookout ent attribute:
    1. Click Add Rule, then select Send Claims Using a Custom Rule and click Next.
    2. Name the rule lookout-ent and copy the following into the Custom rule body, replacing the value with your Lookout ent GUID.
      This value is provided to you by Lookout: 
      => issue(Type = "ent", Value = "<Your Lookout ent GUID>");

      For example:



    3. Click OK.
  4. Configure the Lookout upn attribute:
    1. Click Add Rule, then select Send Claims Using a Custom Rule and click Next.
    2. Name the rule lookout-upn and copy the following into the Custom rule body, using your own Windows account name:
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/<windowsaccountname>", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("upn"), query = ";mail;{0}", param = c.Value);

      For example:



    3. Click OK.
    4. Click New Rule, then select Transfer an Incoming Claim and click Next.
    5. Name the rule lookout-upn-to-nameId and set the following:


      FieldValue
      Incoming claim type:UPN
      Outgoing claim type:Name ID
      Outgoing name ID format:Email
      Pass through all claim values(Selected)
    6. Click OK.
  5. Configure the Lookout memberof attribute.
    This consists of three separate rules:
    1. Click Add Rule, then select Send Claims Using a Custom Rule and click Next.
    2. Name the rule lookout-memberof-phase1 and copy the following into the Custom rule body, using your own Windows account name:
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/<windowsaccountname>", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://test.com/phase1"), query = ";memberOf;{0}", param = c.Value);

      For example:



    3. Click Finish.
    4. Click Add Rule.
    5. Select Send Claims Using a Custom Rule and click Next.
    6. Name the rule lookout-memberof-phase2 and copy the following into the Custom rule body:
      c:[Type == "http://test.com/phase1"]
=> add(Type = "http://test.com/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

      For example:



    7. Click Finish.
    8. Click Add Rule.
    9. Select Send Claims Using a Custom Rule and click Next.
    10. Name the rule lookout-memberof and copy the following into the Custom rule body:
      c:[Type == "http://test.com/phase2"]
=> issue(Type = "memberof", Value = RegExReplace(c.Value, "^CN=", ""));

      For example:



    11. Click Finish.

Last updated: September 30, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.