You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Configure ADFS relying party


In this step, you should prepare a metadata file first. To perform this, please complete the steps below:

  1. Navigate to https://instance.example.com/v1/saml/metadata
  2. Copy the metadata into a new file with an XML extension (for example, ExampleComSSOMetadata.xml)
  3. Save the file.

To configure ADFS relying party, you need to:

  1. Log into your ADFS server and open the management console.
  2. Select Relying Party Trusts.
  3. Click Add Relying Party Trust on the top right and click Start.
  4. Select the Import data about the relying party from a file option.
  5. Specify a display name and type some notes if needed.
  6. Do not select any encryption certificate.
  7. Specify user permissions for this relying party. By default, all users are permitted. Click Next.
  8. Click Next again, and click Close. The new relying party trust appears.


The metadata link looking alike https://{your_instance_url}/v1/saml/metadata can be obtained on every instance with SSO onboard, regardless of any SAML connection existing.

Manual relying party trust creation


To create relying party trust manually, please complete the steps below:

  1. Log into your ADFS server and open the management console.
  2. Select Relying Party Trusts.
  3. Click Add Relying Party Trust on the top right and click Start.
  4. Specify the Enter data about the relying data manually option.
  5. Specify a display name and type some notes if needed.

  6. Do not select any encryption certificate.

  7. Select the Enable support for the SAML 2.0 WebSSO protocol
    1. Type https://instance.example.com/adfs/fs
  8. Specify relying parties identifiers
    1. Type https://instance.example.com/adfs/services/trust
  9. Specify user permissions for this relying party. By default, all users are permitted. Click Next.
  10. Click Next again, and click Close. The new relying party trust appears.

Configure ADFS relying party claim rules


To configure ADFS relying party claim rules, please complete the steps below:

  1. Log into your ADFS server and open the management console.
  2. Right-click the relying party trust created earlier.
  3. Select the Edit Claim Issuance Policy item.
  4. Click Add Rule.
  5. Select the Send LDAP Attribute as Claims option and click Next.
  6. Name the claim. for example, Get LDAP Attributes.
  7. Enter values as listed below:
    1. Attribute store = Active directory
    2. LDAP Attribute = E-Mail-Addresses
    3. Outgoing Claim Type = E-mail Address
  8. Click Finish.
  9. Click Add Rules again.
  10. Select the Transform an Incoming Claim option and click Next.
  11. Name the claim, for example, Email2Name.
  12. Set the Incoming claim type equal to the outgoing claim type in the previous rule. For example, Email Address.
  13. Set the values as listed below:
    1. Outgoing claim type = Name ID
    2. Outgoing name ID format = Email
  14. Choose the Pass through all claim values option.
  15. Click Finish.
  16. Click OK to close the window.


Create a SAML logout endpoint

Generally, SAML logout endpoint are created automatically within relying party trust creating. You can create or edit them manually if needed. To perform this, please complete the steps below:

  1. Log into your ADFS server and open the management console.
  2. Right-click the relying party trust created earlier.
  3. Click on the Endpoints tab.
  4. Click the Add SAML button.
  5. Enter values as listed below:
    1. Endpoint type = SAML Logout
    2. Binding = POST
    3. Trusted URL = https://instance.example.com/logout
  6. Click OK.

Create a SAML connection

To configure a SAML connection, please complete the steps below:

  1. Navigate to Single Sign-On → SAML Definition.
  2. Click New and fill in the fields
  3. Click Save or Save and Exit to apply changes.

SAML definition form fields

FieldMandatoryDescription
NameNSAML connection name
User fieldY

Specify a field in the User table containing information for user identification. Available options:

  • Email
  • Username
Active
Select this checkbox to make this connection active or inactive.
SAML Server Metadata tab
Metadata URLY

Specify the external URL provided by a service provider for authentication. By this address, an XML file containing the federation metadata is located.

Generally, in most cases, this file is named federationmetada.xml. Most of catalog services, like Active Directory, provide link to this file via management console. Provide a public link to the file in this field.


In our case, the link is https://instance.example.com/federationmetadata/2007-06/federationmetadata.xml

Metadata

This field contains an external service answer (SAML federation metadata) and is populated automatically by the federationmetadata.xml file content.

Additional information tab
This tab contains record service information (who and when has created or updated the record, other information).

Test configuration

To test configuration, please complete the steps below:

  1. Navigate to your ADFS portal. For example, https://instance.example.com/auth-sso
  2. Sign in to your instance. If configurations have been done correctly, you'll be logged automatically.
  3. Select Logout from the profile menu to test the logout endpoint functionality.

  • No labels

© 2019-2023, SimpleOne

https://simpleone.ru