SSO with ADFS

This site gives instructions on how to configure your Active Directory Federation Services (ADFS) when configuring it for SSO with Policy Passport.

non

Please make sure to read the general SSO guide first: https://compliance.freshdesk.com/support/solutions/articles/12000059871. The general process is defined there, this page gives configuration details for ADFS.

Setting up single sign-on using Active Directory with ADFS and SAML

Policy Passport supports Single sign-on (SSO) logins through SAML 2.0. A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.

Usually, the ADFS metadata information can be found at the following URL: https://<IDP-URL>/FederationMetadata/2007-06/FederationMetadata.xml

How to configure ADFS SAML SSO for your users:

1. Open ADFS Management under Server Manager > Tools.

2. Open Trust Relationships, right click on Relying Party Trusts and choose Add Relying Party Trust and click on Start.

3. Choose Import data about the relying party from a file, Browse and upload the supplied metadata file  and click Next. 

4. Enter a suitable Display name and click on Next. 

5. Select if you would like to enable Multi-factor Authentication for users 

6. Select if you would like to configure any Issuance Authorization Rules 

7. Click Next on the set-up overview summary

8. Check the box Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click on Close.

9. Choose Send Claims Using a Custom Rule in the Add Transform Claim Rule Wizard window and click Next.

Create your first rule to Add E-mail Address from AD

@RuleName = "Add E-mail Address from AD"

Paste the below rule in the Custom rule text box

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

10. Add another Custom rule to Send E-Mail-Address as emailAddress (Case Sensitive) 

@RuleName = "Send E-Mail-Address as emailAddress"

Paste the below rule in the Custom rule text box

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "emailAddress", Value = c.Value, Issuer = c.Issuer, Properties["http://scahemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

11. Add another rule and choose Transform an Incoming Claim from the 'Claim rule template' dropdown. Click on Next

Fill out the necessary values for the dropdown: 

E-mail Address for Incoming claim type

NameID for Outgoing claim type and 

Email for Outgoing name ID format)

12. Send us your Base-64 encoded X.509 certificate along with your SAML login URL, e.g https://<IDP-URL>/adfs/ls