Configuring SAML-based SSO with AD FS

This is a quickstart guide to configure SAML 2.0-based Single Sign-on with a Softadmin® system as Service Provider and AD FS as Identity Provider.

Before getting started

All stakeholders should agree on which information about users that the Identity Provider will share with the Softadmin® system and how end user permissions in the Softadmin® system will be administered.

Firewalls must allow the Softadmin® system to make https requests to the AD FS server.

Participants

  • A Softadmin® administrator
  • An Active Directory domain administrator (referred to as the AD administrator for the rest of this document)

During configuration the administrators will need to share some system-specific configuration values with each other.

The Softadmin® administrator will share:

  • Service Provider Metadata URL

The AD administrator will share:

  • Identity Provider Metadata URL

Softadmin® administrator

  1. Choose a Service Provider Identity for the Softadmin® system. Use the system's own URL (for example https://softadmin.example.com) unless you have good reasons not to. Set the system setting SingleSignOnSamldentity to this identity. The Softadmin® system can not publish SAML metadata until an identity has been assigned.

  2. Set SingleSignOnLoginProcedure to the name of the stored procedure that will extract user attributes from the SAML Assertion. Read more

  3. The Service Provider Metadata URL is found by appending /saml/sp to the sytem's URL, for example https://softadmin.example.com/saml/sp. It is case sensitive. Verify that you can download an XML file from the Service Provider Metadata URL and then share the URL with the AD administrator.

AD administrator

  1. Expand AD FS / Trust relationships and select Relaying party trusts. Click the Add relaying party trust link on the right side.

  2. In the The Add relaying party trust wizard:

    1. At Welcome, click Start.

    2. At Select data source, choose Import data about the relaying party published online and enter the Service Provider Metadata URL in the Federation metadata host field.

    3. At Specify display name, enter the name the end users know the system by.

    4. At Configure multi-factor authentication, choose to do it later.

    5. At Choose issuance authorization rules you probably want to deny all users by default.

    6. At Ready to add trust, review and then click Next.

    7. At Finish, click Close.

  3. In Edit Claim Rules:

    1. In Issuance transform rules.

      1. Click Add rule.

      2. Use Send LDAP attributes as claims, Active Directory as Attribute store.

      3. Use the following outgoing claims (unless another set of claims has been agreed on):

      LDAP Attribute Outgoing claim type
      Given-Name Given Name
      Surname Surname
      E-Mail-Addresses E-Mail Address
      Token-Groups - Unqualified Names Group
      User-Principal-Name Name ID

      Screenshot of Add Transform Claim Rule

    2. In Issuance Authorization Rules, assign user permissions as desired.

  4. Determine where the AD FS server serves federation metadata. It is usually at /FederationMetadata/2007-06/FederationMetadata.xml (for example https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml). This is the Identity Provider Metadata Url. Give this URL to the Softadmin® administator.

Softadmin® administrator

  1. Go to Single Sign-on -> SAML 2.0 Single Sign-on -> SAML Identity Providers and create a new Identity Provider with the Identity Provider Metadata Url.

  2. Change the SingleSignOn system setting to SAML 2.0.