This article explains how to integrate your Enterprise Account with Active Directory Federation Services (AD FS) in order to enable user single sign-on (SSO).
With this functionality enabled, all users of the Enterprise Account will be able to log in to their XMedius Cloud account (including all subscribed services) using their Active Directory user credentials.
- describes all configurations to perform (SSO Configuration) on your AD Server as well as on your Enterprise Account in order to enable the SSO functionality, and
- provides specific information for creating user accounts (User Accounts in SSO Context), which is still necessary when the SSO functionality is enabled.
To enable SSO, it is required to perform configurations on your AD Server as well as on your Enterprise Account (for which you need to provide some values retrieved from your AD FS).
AD Server Configuration
- Setup the AD FS role on your AD Server, according to Microsoft’s instructions.
Configure a Relying Party Trust using the AD FS Management
Go to Trust Relationships and add a Relying Party Trust with the following minimum required properties (follow the wizard):
Select Data Source Select Enter data about the relying party manually Choose Profile Select AD FS Profile Configure URL Select Enable support for the WS-Federation Passive Protocol Provide the Relying party WS-Federation Passive protocol URL: https://login.[domain]Note: Use the [domain] that corresponds to the region of your enterprise account (i.e. xmedius.com for USA, xmedius.ca for Canada or xmedius.eu for Europe). Choose Issuance Authorization Rules Select Permit all users to access this relying partyTip: Before finishing, select Open the Edit Claim Rules dialog... to directly step on the next required configuration.
Add a Claim Rule to the Relying Trust Party you just
In Edit Claim Rules, Issuance Transform Rules tab, add a rule with the following minimum required properties (follow the wizard):
AD FS Values Required for Further Configuration
You need to get some values from your AD FS in order to use them while configuring your XMedius Enterprise Account for SSO.
Enterprise Account Configuration
- Login to your XMedius Cloud account using a Web browser.
Important: Keep the fail-safe URL (https://login.[domain]/[account]/no-sso) provided at the bottom of the SSO configuration section, it will allow you to log in using your XMedius Cloud account credentials if you lock yourself after SSO activation.
- From the main menu of your Web Portal, select .
- Go to Single Sign-On section and select WS-Fed / WS-Trust.
- Provide the following required information:
User Accounts in SSO Context
Even with SSO functionality enabled, it is always required to create user accounts within the Enterprise Account. SSO will apply to all user accounts created either before or after enabling the functionality.
You must also be aware of some behaviors and requirements related to SSO activation (Password / Email Address Required to Log in / Two-Factor Authentication).
Creating User Accounts
A tool (AD Sync) can be used to ease the user account creation process by synchronization with your Active Directory (see Synchronizing Users from Active Directory).
Otherwise, the XMedius Cloud Platform always allow administrators to create user accounts, either manually or by sending invitations (see Managing Users).
- Administrators have the option to manually create user accounts with no password.
- The form to create an account following a User Invitation does not ask users to set a password.
Email Address Required to Log in
In SSO mode, the key element of a user account is its email address. As such, to login using client applications (e.g. SendFAX, SendSecure for Outlook...) as well as to access the Web Portal, the users will have to authenticate using their email address (and not the username defined in their XMedius Cloud account).