This article describes how to configure ADFS as your workplace's single sign-on identity provider (IdP). This process involves making modifications to ADFS as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their ADFS credentials.
To follow this process, you must be able an ADFS administrator and be a workplace administrator in your digital workplace.
Sections in this article:
- Configuring ADFS single sign-on
- Configuring your digital workplace's single sign-on
- Additional Resources
Configuring ADFS single sign-on
Enable Forms Authentication in ADFS
Forms Authentication must be enabled within ADFS for it to generate a SAML assertion to your digital workplace. For more information about Forms Authentication, Configure the AD FS server for claims-based authentication (Microsoft).
- Log on to the ADFS server with administrator credentials.
- Open the ADFS management console and select Authentication Policies.
- On the Authentication Policies Overview page, select Edit.
- Under Intranet, ensure that Forms Authentication is selected. Select it if it isn't.
Create a Relying Party Trust in ADFS
A Relying Party Trust is required to allow ADFS to identify your workplace as a resource partner organization. For more information, see Create a Relying Party Trust (Microsoft).
- On the Select Data Source page in ADFS, select the option Enter data about the relying party manually.
- On the Specify Display Name page, enter the workplace URL as the Display Name.
- On the Choose Profile page, select the ADFS Version to use. If you are using Windows 2003 or older select ADFS 1.0 and 1.1, otherwise use the default which is ADFS profile.
- On the Configure Certificate page, select next. The assertion must be unencrypted.
- On the Configure URL page, select Enable support for the SAML 2.0 WebSSO. If there is no check in the box next to Enable support for the SAML 2.0 WebSSO it has not been enabled. Select the box to enable this setting.
- Still on the Configure URL page, enter your workplace's SAML endpoint URL in the text field Relying party SAML 2.0 SSO service URL. This will take the form:
http://{your workplace URL}/saml.digest
.
- On the Configure Identifiers page, enter your workplace's SAML endpoint URL as the Relying party trust identifier. This will always take the form:
http://{your workplace URL}/saml.digest
.
-
On the Choose Issuance Authorization Rules page, select Permit all users to access the relying party.
- Review the settings, and select Finish. Selecting finish will automatically open the claim rules area. This is typically the next step of setting up ADFS as your Identity Provider.
Create Claim Rules in ADFS
Claim Rules control what information is passed in the SAML assertion to your workplace. These must pass name, last name, email and nameID values. For more information, see Configure the AD FS server for claims-based authentication (Microsoft).
- Select the Edit Claim Rules option found in ADFS, and then click Add Rule.
- Select the rule template Send LDAP Attributes as Claims.
- Give the rule a name.
- Select the Active Directory (AD) as the attribute store.
- Map AD attributes to outgoing claims. The LDAP attribute dropdown will allow the selection of specific attributes within the AD, map them to the outgoing claim. For optimal results, provide the following mappings:
- Given-Name to FName
- Surname to LName
- Email Addresses to Email
- Email Addresses to NameID
- Select Finish to create these claims.
Where to find Signing Token / X.509 Certificate
A connection requires an ADFS token-signing certificate that's passed in the assertion. This certificate is also referred to as the X.509 Certificate. To find this certificate within ADFS, navigate to Service and select Certificates. Download the Token-signing certificate and open it in a text editor to view it. For more information, see ADFS Certificates - SSL, Token Signing, and Client Authentication Certs (Microsoft).
Configuring your digital workplace's single sign-on
- Go to your digital workplace and sign in.
- Select Control Panel.
- Under Membership, select Sign In Settings.
- Select Configure SAML Authentication.
- Configure the settings as described in the Configuration settings table below.
- Select Save.
Setting | Description |
---|---|
Connection Name | Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button. |
IdP Login URL |
Enter the IdP Login URL associated with your ADFS configuration. This will typically look like this: https://servername.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx |
IdP Logout URL |
Enter the IdP Logout URL associated with your ADFS configuration. This will typically look like this: https://servername.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx/?wa=wsignout1.0 |
Logout Response and Request HTTP Type | Select Basic. |
Logout Final Redirect URL | Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. |
Binding Type |
Select POST. |
Public Certificate |
Copy and paste the X.509 Certificate from your your ADFS configuration. You may need to open the certificate file using a text editor. |
Identity Provider |
Select Microsoft ADFS. If you are using ADFS 4.0, select Other. |
Identifier Type |
Select Email Address. |
Identifier Path |
Only available if Identify Provider is Other. Enter |
Session Index Path |
Only available if Identify Provider is Other. Enter |
Email Path/Attribute |
Enter This assumes you created the claim rules as described above in Configuring ADFS single sign-on. |
First Name Path/Attribute |
Enter This assumes you created the claim rules as described above in Configuring ADFS single sign-on. |
Last Name Path/Attribute |
Enter This assumes you created the claim rules as described above in Configuring ADFS single sign-on. |
Drift Time |
Enter |
User creation on Sign in |
Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace. Options include:
When creating new users in your digital workplace this way, they will be created with the following details:
If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.). If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts. |
Sign in Settings |
Select how users sign in to your workplace. Options include:
For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly. |