This article provides all instructions to configure your Active Directory server as well as your Enterprise Account in order to enable the SSO functionality using SAML.
Supports & Requirements
Active Directory Server
It is still necessary to create user accounts in your Enterprise Account once the SSO functionality is enabled.
For more information, see: User Accounts in SSO Context.
For all details about client integrations supported when configuring SSO with SAML 2.0, see: Supported Client Integrations & Restrictions.
AD Server Configuration
- Setup the AD FS role on your AD Server, according to Microsoft’s instructions.
Configure a Relying Party Trust using the AD FS Management
Go to Trust Relationships and add a Relying Party Trust with the following minimum required properties (follow the wizard):
Select Data Source Select Enter data about the relying party manually Choose Profile Select AD FS Profile Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol Provide the Relying party SAML 2.0 SSO service URL:
https://login.[xmedius_domain]/auth/saml/callbackNote: Use the [xmedius_domain] that corresponds to the region of your enterprise account (i.e. xmedius.com for USA, xmedius.ca for Canada or xmedius.eu for Europe).
Configure Identifiers Add the following Relying party trust identifier:
https://login.[xmedius_domain]/Note: Use the same [xmedius_domain] as above – and do not forget the mandatory slash (/) at the end.
Choose Issuance Authorization Rules Select Permit all users to access this relying partyTip: Before finishing, select Open the Edit Claim Rules dialog... to directly step on the next required configuration.
Configure two claims to make your AD FS return the User ID
Attribute required by the SAML protocol:
Add a Claim Rule to the Relying Trust Party you just
In Edit Claim Rules, Issuance Transform Rules tab, add a rule with the following minimum required properties (follow the wizard):
- Add a second Claim Rule below the previous one, with the following minimum required properties (follow the wizard):
- Add a Claim Rule to the Relying Trust Party you just created:
AD FS Values Required for Further Configuration
You need to get some values from your AD FS in order to use them while configuring your XMedius Enterprise Account for SSO.
- Identity Provider Issuer (a.k.a. Federation Service Identifier in AD FS):
- X.509 Signing Certificate:
Enterprise Account Configuration
- Login to your XMedius Cloud account using a Web browser.
Important: Keep the fail-safe URL (https://login.[domain]/[account]/no-sso) provided at the bottom of the SSO configuration section, it will allow you to log in using your XMedius Cloud account credentials if you lock yourself after SSO activation.
- From the main menu of your Web Portal, select .
- Go to Single Sign-On section and select SAML 2.0.
Provide the following required information:
Issuer (Identity Provider) The Federation Service Identifier of your AD FS server (for example: http://adfs.yourdomain.com/adfs/services/trust). Sign In URL The URL to your AD FS server sign in page (for example: https://adfs.yourdomain.com/adfs/ls). X.509 Signing Certificate The content of the Base-64 encoded X.509 (.CER) file exported from your AD FS server certificate.
- If needed, provide the following optional information: