Follow

How do I set up SSO using Active Directory Federation Services?

Configuring SkyPrep with ADFS is a multi-step process:

 

  • First, we need to enable ADFS on our Windows Server.
  • Next, we need to use the ADFS Maintenance console
  • Next, click on Add Relying Party Trust…
  • This should open the wizard.
  • Click the Start button.
  • Select Enter data about the relying party manually
  • Enter “https://[your_skyprep_domain]/saml/consume” as the display name
  • Select AD FS profile
  • Select Next on the Configure Certificate window.
  • Check Enable support for the SAML 2.0 WebSSO protocol and enter “https://[your_skyprep_domain]/saml/consume”. Then click Next.
  • Add “https://[your_skyprep_domain]/saml/consume” in the Relying party trust identifiers. Then click Next.
  • Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and then click Next.
  • Select Permit all users to access this relying party.
  • In the Edit Claim Rules section, add the settings so they look like this:

 

 

You can add additional attributes to to the SAML Claims.

These can be mapped as the following in the Outgoing Claim Type column:

User.EmailNotifications
User.FirstName

User.LastName
User.Company
User.Title
User.Address
User.Address2
User.State
User.Zip
User.Cell
User.Phone
User.WorkPhone
User.Ssn
User.DateOfBirth
User.UserIdentifier
User.Gender
User.Ca0
User.Ca1
User.Ca2
User.Ca3
User.Ca4
User.Ca5
User.Ca6
User.Ca7
User.Ca8
User.Ca9
User.Ca10

 

You can also fix attributes to a specific value. For example, to set User.EmailNotifications to true, you can Edit Claim Rules, click Add Rule, use Send Claims using a Custom Rule and set the rule like such:

 

 

<?xml version="1.0" encoding="UTF-8" ?>
  • Next, go to the SAML configuration page at https://[your_skyprep_domain]/admin/program/saml and paste the metadata (with the xml tag above) into the “idP Metadata (XML)” field.
  • Optionally, enable Automatically Create / Add Users (JIT) and Automatically Add Users to Existing Groups.

    (Note: Please update these settings using Google Chrome (and not Internet Explorer) as Internet Explorer may incorrectly present a security warning and may not be able to save the page)

 

To test the integration, visit

https://[WINDOWS_SERVER]/adfs/ls/IdPInitiatedSignOn.aspx?loginToRp=https://[your_skyprep_domain]/saml/consume

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments