Microsoft AD FS (SSO)

 

Step 1

Open AD FS management console and click on "Add Relying Party Trust…".

 

Step 2

Select Claims aware and click "Start".

 

Step 3

Select "Enter data about the relying party manually" option and click on Next button.

 

Step 4

Enter the display name of the relying party, for example "ISL Online Cloud" and click Next button.

 

Step 5

Click on Browse… button and upload the SAML 2.0 Service Provider Encryption certificate, that we have provided to you via email (Step 4 from Basic configuration). Rename the file extension of certificate to .cer before uploading the file.

Click on Next button to continue.

 

Step 6

Skip Configure URL step and click Next button.

 

Step 7

Enter Identifier (Entity ID) URL that we sent to you (Step 4 from Basic configuration) to the Relying party trust identifier field and click Add button. Click Next to continue.

 

Step 8

Select appropriate Access Control Policy. Users must be granted access to the ISL Online Cloud relying party trust before being able to access it.

 

Step 9

Review the information then click Next to add the Relying Party Trust.

 

Step 10

With Relying Party Trust added (and selected - in gray), click on "Edit Claim Issuance Policy" from the Actions panel to configure which claims (parameters) will be sent to ISL Online Cloud when user logs in. Click on Add Rule… button to continue.

 

Step 11

Select "Send LDAP Attributes as Claims" and click Next.

 

Step 12

When a user authenticates, Microsoft AD FS will issue a SAML token to ISL Online Cloud, that contains unique information about the user. User-Principal-Name is one of the LDAP attributes, which will uniquely identify the user on the ISL Online Cloud (username). Unique user identifier and email are mandatory user claims.  
You can add additional claims, which will send the full name of the user. Select User-Principal-Name, Display-Name and E-Mail-Adresses LDAP attributes and set them as UPN, Name and E-Mail Address outgoing claims.

  • Username (mandatory): UPN
  • E-mail (mandatory): E-Mail Address
  • Full name (optional): Name 

Store the SAML claim names you have set up,  you will need to include them to the email sent to ISL Online support team later.

Click Finish to continue.

You can configure sending the group membership as a claim over to ISL Online Cloud. Sending of the groups is optional and you can skip the following steps. 
 

Click on Add Rule… again.

 

For Claim rule template select "Send Group Membership as a Claim" then click Next.

 

Select the group for which you wish to send membership information, specify Outgoing claim type as Group and set the desired Outgoing claim value. Store the Outgoing claim value for each group you will set, you will need to include them to the email sent to ISL Online support team later. 

Click “Finish” at the end.

Note: Group membership sent as a claim only specifies if a user is a member of a group for which you created the rule - e.g. is user member of islGroup group. This means that you will have to repeat those steps for each group for which you wish to send membership information. ISL Online Cloud internal limit is 100 groups per user.

 

Step 13

Click OK when you have configured all the rules.

 

Step 14

Select Relying Party Trust you configured and click on Properties from the Actions panel.

 

Step 15

Select Endpoints tab and click on Add SAML… button.
 

Select SAML Assertion Consumer option from the Endpoint type list, POST option from the Binding list, mark the Set the trusted URL as default checkbox and enter the Reply URL (Assertion Consumer Service URL) that we sent to you (Step 4 of Basic configuration) into the Trusted URL field. Click OK to add the endpoint.
 

Back on Endpoints tab, click on Add SAML… button again.
 

Select SAML Logout option from the Endpoint type list, POST option from the Binding list, and enter the Logout URL that we sent to you (Step 4 of Basic configuration) into the Trusted URL and Response URL fields. Click OK to add the endpoint.
 

Click OK to save added SAML endpoints.

 

Step 16

You are now finished with basic AD FS configuration. Download the metadata XML file from your AD FS server. The endpoint for file download is typically: https://<your_adfs_hostname>/FederationMetadata/2007-06/FederationMetadata.xml
Store the federation metadata URL and XML file as you will need to include them to the email sent to ISL Online support team later.

Proceed with the Step 6 of the Basic SSO configuration.

 

Tags: microsoft adfs, saml 2.0, sso

Was this article helpful?