Configure SSO with Microsoft Active Directory Federation Services - SimplexMobility/public_wiki GitHub Wiki

Note: ADFS 2.0 on Windows Server 2008 r2 or ADFS 3.0 on Windows Server 2012 / 2012 r2)

SAML 2.0 single sign-on (SSO) supports integration with Microsoft Active Directory Federation Services (ADFS) 3.0.

Requirements

  • A fully installed and configured ADFS service.

  • A server running Microsoft Server 2008r2 or 2012/2012r2

  • An SSL certificate to sign your ADFS login page and the thumbprint of that certificate

In this example we are using ADFS 2.0 on Windows Server 2008 R2. On Windows Server 2012 the steps will be the same except for the installation, because you install AD FS role via the server manager, not via the installation package as on Windows 2008 server r2.

Step 1. AD FS Management

Login in to your AD FS server and launch the ADFS Management Console via the shortcut in Control Panel\Administrative Tools.

Step 2. Check AD FS settings

Right-click on Service and select Edit Federation Service Properties...

Confirm that the General settings match your DNS entries and certificate names. Make a note with the Federation Service Identifier, since that is used in the MyServe SAML 2.0 configuration settings.

Step 3. Token-Signing certificate

  1. Browse to the certificates.

  2. Right-click on the certificate and select View Certificate.

  3. Go to the Details tab.

  4. Find the Thumbprint field and copy the contents of this field to the Windows clipboard.

Step 4. MyServe Settings

Go to your MyServe account at myserve.co or myserve.ca and open Settings > SSO SAML page.

Click Add Configuration > Blank Configuration link to create new blank configuration.

Fill in all the fields:

  • IdP Entity ID with Federation Service Identifier.
  • IdP Endpoint URL with Login URL.
  • IdP Certificate's Fingerprint with Thumbprint you got from the step 3.

image

Step 5. ADFS Relying Party Configuration

Go to the ADFS Management console and select Relying Party Trusts, right-click on it and select Add Relying Party Trust…

Select Next On the Welcome Screen of the wizard, and on the Select Data Source step, select the last option: Enter data about the relying party manually.

On the next screen, enter a Display name that you will recognize in the future.

Next, select AD FS profile:

Leave the default values:

On the next screen, check the box labeled: Enable support for the SAML 2.0 WebSSO protocol.

Click Next. Add Relying party trust identifier: https://riocan.myserve.ca/sso/saml/metadata

Choose Permit all users to access this relying party.

On the next step, just click Next.

On the final screen, check the box Open the Edit Claim Rules dialog and use the Close button to exit.

Step 6. Creating Claims Rules

  1. Add the first rule

  2. Select Send LDAP Attributes as Claims

  3. On the next screen, specify your Claim Rule, for Example "E-mail", using Active Directory as your attribute store, and do the following:

  • From the LDAP Attribute column, select E-Mail Addresses

  • From the Outgoing Claim Type, enter “email”

  • Click on Finish or OK to save the new rule

  1. After that, add the second rule and select Transform an Incoming Claim as the template

  • Give your Claim Rule a title, for example, Transform Account Name

  • Select Windows account name as the Incoming Claim Type

  • Under Outgoing Claim Type, select Name ID

  • Under Outgoing Name ID Format, select Transient Identifier

  • Leave the default rule Pass through all claim values

  1. Finally, click on OK to create the claim rule, and then OK again to finish creating rules.
  • Step 7. Logging

Go to your SSO login page: https://YOUR-SUBDOMAIN.myserve.ca/sso/saml/init and enter your credentials.