Enabling SSO with Active Directory (AD FS) – Using SAML 2.0

Administrator -

This article provides all instructions to configure your Active Directory server as well as your Enterprise Account in order to enable the SSO functionality using SAML.

Supports & Requirements

Active Directory Server

Your Active Directory server must meet the following requirements:
  • AD FS 2.1 or higher
  • Windows Server 2012 or higher

User Accounts

It is still necessary to create user accounts in your Enterprise Account once the SSO functionality is enabled.

For more information, see: User Accounts in SSO Context.

Client Integrations

For all details about client integrations supported when configuring SSO with SAML 2.0, see: Supported Client Integrations & Restrictions.

AD Server Configuration

Setup AD FS role, Relying Party Trust and Claim Rules on your AD Server:

  1. Setup the AD FS role on your AD Server, according to Microsoft’s instructions.
    1. Install the AD FS role.
    2. Setup firewalling/NATing, DNS, public certificates according to your corporate environment/policies.
  2. Configure a Relying Party Trust using the AD FS Management console:

    Go to Trust Relationships and add a Relying Party Trust with the following minimum required properties (follow the wizard):

    Select Data Source Select Enter data about the relying party manually
    Choose Profile Select AD FS Profile
    Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol
    Provide the Relying party SAML 2.0 SSO service URL:

    https://login.[xmedius_domain]/auth/saml/callback

    Note: Use the [xmedius_domain] that corresponds to the region of your enterprise account (i.e. xmedius.com for USA, xmedius.ca for Canada or xmedius.eu for Europe).
    Configure Identifiers Add the following Relying party trust identifier:

    https://login.[xmedius_domain]/

    Note: Use the same [xmedius_domain] as above – and do not forget the mandatory slash (/) at the end.
    Choose Issuance Authorization Rules Select Permit all users to access this relying party
    Tip: Before finishing, select Open the Edit Claim Rules dialog... to directly step on the next required configuration.
  3. Configure two claims to make your AD FS return the User ID Attribute required by the SAML protocol:
    1. Add a Claim Rule to the Relying Trust Party you just created:

      In Edit Claim Rules, Issuance Transform Rules tab, add a rule with the following minimum required properties (follow the wizard):

      Choose Rule Type Select Send LDAP Attributes as Claims
      Configure Claim Rule Select Active Directory as Attribute Store
      Set Mapping of LDAP attributes to outgoing claim types:

      User-Principal-Name >> E-Mail Address

      OR (depending on your LDAP implementation):

      E-Mail Addresses >> E-Mail Address

    2. Add a second Claim Rule below the previous one, with the following minimum required properties (follow the wizard):
      Choose Rule Type Select Transform an Incoming Claim
      Configure Claim Rule Select E-Mail-Address as Incoming claim type
      Select Name ID as Outgoing claim type
      Select Email as Outgoing name ID format

AD FS Values Required for Further Configuration

You need to get some values from your AD FS in order to use them while configuring your XMedius Enterprise Account for SSO.

  1. Identity Provider Issuer (a.k.a. Federation Service Identifier in AD FS):
    1. Go to AD FS > Service and Edit Federation Service Properties.
    2. Get the value of Federation Service Identifier.
  2. X.509 Signing Certificate:
    1. Go to AD FS > Service > Certificates.
    2. Locate the Token-signing certificate and open it.
    3. Go to Details and click on Copy to File...
    4. Select Base-64 encoded X.509 (.CER) and follow the wizard.

Enterprise Account Configuration

Enable the SSO functionality (with SAML) in your Enterprise Account:

  1. Login to your XMedius Cloud account using a Web browser.
  2. Edit your Enterprise Settings:
    1. From the main menu of your Web Portal, select enterprise_account > Enterprise Settings.
    2. Go to Single Sign-On section and select SAML 2.0.
    3. Provide the following required information:
      Issuer (Identity Provider) The Federation Service Identifier of your AD FS server (for example: http://adfs.yourdomain.com/adfs/services/trust).
      Sign In URL The URL to your AD FS server sign in page (for example: https://adfs.yourdomain.com/adfs/ls).
      X.509 Signing Certificate The content of the Base-64 encoded X.509 (.CER) file exported from your AD FS server certificate.
    4. If needed, provide the following optional information:
      URL Redirect After Sign Out Custom URL to redirect users when they sign out of the portal. If you leave this field empty, the default logout page of the XMedius cloud portal will be used.
    Important: Keep the fail-safe URL (https://login.[domain]/[account]/no-sso) provided at the bottom of the SSO configuration section, it will allow you to log in using your XMedius Cloud account credentials if you lock yourself after SSO activation.
Have more questions? Submit a request

Comments

Powered by Zendesk