SSO - ADFS

Wiki HomeTitle Index

How to setup ADFS as your Identity Provider

Enable Forms Authentication in ADFS

Forms Authentication must be enabled within ADFS for it to generate a SAML assertion to your digital workplace. For more information about Forms Authentication, Configure the AD FS server for claims-based authentication (Microsoft).

1. Log on to the ADFS server with Administrator credentials

2. Open the ADFS management console and select Authentication Policies

The Authentication Policies window.

3. Click the Edit link associated with Authentication Methods

While on the Authentication Policies page this link can be found under the following section: Primary Authentication -> Global Settings -> Authentication Methods.

The edit button.

4. Under the Intranet section, verify that Forms Authentication has been enabled

If there is no check in the box next to Forms Authentication it has not been enabled. Click the box to enable this setting. Click the Apply button located at the bottom of the window to have this change take effect.

The Forms Authentication option.

Create a Relying Party Trust in ADFS

A Relying Party Trust is required to allow ADFS to identify your workplace as a resource partner organization. For more information, see Create a Relying Party Trust (Microsoft).

1. On the Select Data Source page in ADFS, select the option Enter data about the relying party manually

The Enter date about the relying party manually option.

2. On the Specify Display Name page, enter the workplace URL as the Display Name

The display name.

3. On the Choose Profile page, select the ADFS Version to use

If you are using Windows 2003 or older select ADFS 1.0 and 1.1, otherwise use the default which is ADFS profile.

The profile page options.

4. On the Configure Certificate page, click next

The assertion must be unencrypted.

5. On the Configure URL page, select Enable support for the SAML 2.0 WebSSO

If there is no check in the box next to Enable support for the SAML 2.0 WebSSO it has not been enabled. Click the box to enable this setting.

The Enable support for the SAML 2.0 WebSSO protocol option.

6. Still on the Configure URL page, enter your workplace's SAML endpoint URL in the text field Relying party SAML 2.0 SSO service URL

This will always take the form:
http://{your workplace URL}/saml.digest

The service URL field.

7. On the Configure Identifiers page, enter your workplace's SAML endpoint URL as the Relying party trust identifier

This will always take the form:
http://{your workplace URL}/saml.digest

The party trust identifier field.

8. On the Choose Issuance Authorization Rules page, select Permit all users to access the relying party

The Permit all users to access the relying party option.

9. Review the settings, and click Finish

Clicking finish will automatically open the claim rules area. This is typically the next step of setting up ADFS as your Identity Provider.

Create Claim Rules in ADFS

Claim Rules control what information is passed in the SAML assertion to your workplace. These must pass name, last name, email and nameID values. For more information, see Configure the AD FS server for claims-based authentication (Microsoft)

1. Select the Edit Claim Rules option found in ADFS, and then click Add Rule

The Add Rule button.

2. Select the rule template Send LDAP Attributes as Claims

The claim rule template selector.

3. Give the rule a name

The claim rule name field.

4. Select the Active Directory (AD) as the attribute store

The attribute store selector.

5. Map AD attributes to outgoing claims

The LDAP attribute dropdown will allow the selection of specific attributes within the AD, map them to the outgoing claim. For optimal results, provide the following mappings:

  • Given-Name to FName
  • Surname to LName
  • Email Addresses to Email
  • Email Addresses to NameID

Click Finish to create these claims.

Where to find Signing Token / X.509 Certificate

A connection requires an AD FS token-signing certificate that's passed in the assertion. This certificate is also referred to as the X.509 Certificate. To find this certificate within AD FS, navigate to Service and select Certificates. Download the Token-signing certificate and open it in a text editor to view it. For more information, see ADFS Certificates - SSL, Token Signing, and Client Authentication Certs (Microsoft).

The list of certificates.

Workplace Configuration

General information about your workplace's SAML configuration page can be found in our article SSO - SAML Authentication.

1. Select the Sign In Settings page from the Site Control Panel

The sign in settings option of the control panel.

2. Click the Configure SAML Authentication link

The Configure SAML Authentication button.

3. Complete the General Configuration fields

Connection Name: Mandatory field that is used to identify the connection. IdP Login URL: The ADFS login URL will typically follow the structure below.

https://servername.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx

IdP Logout URL: This is the URL to which your site will send logout information. This URL will typically follow the structure below.

https://servername.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx/?wa=wsignout1.0

Logout Response and Request HTTP Type: Select Basic.

Logout Final Redirect URL: Enter a URL for your IDP to redirect users to after logout has been completed.

Binding Type: Select Post.

Public Certificate: Copy the certificate that was downloaded in the Where to find Signing Token / X.509 Certificate section of this document.

The General Configuration section.

4. Complete the Response and Authentication Configuration fields

Identity Provider: Select Microsoft ADFS from the dropdown menu.

Note: If you are using ADFS 4.0, select Other as the Identity Provider. Change the Identifier Path to:

/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="NameID"]/saml:AttributeValue

You can then change the Identity Provider back to Microsoft ADFS.

Identifier Type: Select Email Address. This assumes that the NameID value has been set to Email Addresses, as described in Step 5 of the Create Claim Rules in ADFS instructions found above.

Attributes: These attributes should match the ADFS mapped claims. Based on Step 5 of the Create Claim Rules in ADFS instructions found above, these would be:

    /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="Email"]/saml:AttributeValue
    /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="FName"]/saml:AttributeValue
    /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="LName"]/saml:AttributeValue

Drift Time: This can be left at its default time of 5 seconds. For troubleshooting, this value can be increased if there is concern that network latency could be causing authentication issues.

The Response and Authentication section.

5. Enable/Disable SAML provisioning of new members

Select how your digital workplace handles users who attempt to sign in to your digital workplace when they have valid credentials but are not members of the workplace. 

If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.

The user creation on sign in option.

6. Set how members navigate to the SSO sign in page

Use SAML button on "Sign in" screen: Adds a SSO sign in button to the Igloo Authentication page.

Redirect all users to IdP: Automatically redirects members to your ADFS sign in page if they attempt to access the workplace without an existing session.

The sign in settings option.

7. Click Save to apply these changes

Additional Resources

0 Comments

Sorry, comments are closed.
  • 4,494 views
  • 0 previews
  • 23 versions
  • 0 comments
  • 2 followers
     
    2 members are following updates on this item.
Labels:

Authentication

Avg. Rating:
Updated By:
Jesse Langstaff
 
February 21, 2023
Posted By:
Jesse Langstaff
 
April 9, 2018
Versions:
v.23
Search this area
Viewed 4,494 times