SAML

Configuration

To set up the SAML integration, you must have a valid SSL certificate for signing Service Provider requests.

  1. Go to Administration>Extensions>SAML.
  2. Select the Enable extension checkbox and click Add item. A service provider settings window opens.
  3. In the Name field, specify the service provider name.
  4. In the Metadata IdP URL field, specify the metadata URL  of your AD FS server (for example, https://your-domain.com/FederationMetadata/2007-06/FederationMetadata.xml).
  5. Fill in the Public key field with your public key taken from the .pem file and formatted as a string.
  6. Fill in the Private key field with your public key taken from the .pem file and formatted as a string.
  7. Click Save. If service provider settings are saved successfully, the link to the file with metadata will be displayed in the URL field.
  8. Follow the metadata URL link and save the service provider metadata as a .xml file. You will need it at the next step when setting up the AD FS server.

Configuring authentication on the AD FS server

Once you have set up the integration with the SAML provider and obtained the medatada file, configure the AD FS server.

The instructions in this article are for Windows Server 2016. For other OS versions, the steps may be different.

To configure the authentication on the AD FS server, follow the steps below.

Create a Relying Party Trust

According to AD FS requirements, you must create a relying party trust for each service provider that uses the AD FS server for authentication.

To create a new relying party trust:

  1. Sign in to your AD FS server and start Server Manager.
  2. Open the management console, AD FS: Tools > AD FS Management.
  1. In the Actions panel, click Add Relying Party Trust.
  2. The Add Relying Party Trust Wizard window opens. On the Welcome page, choose Claims aware and click Start.
  3. On the Select Data Source page, click Import data about the relying party from a file. Click Browse next to the Federation metadata file location field, select the metadata file you got at the SAML integration setup step earlier, and click Next.
  4. Specify a name for the relying party trust, for example, ELMA365, and then click Next.
  5. On the next page, choose the access control policy.  The pre-selected Permit everyone policy provides access to the relying party trust for all users.
  6. On the Ready to Add Trust page, review the settings and click Close.

Configure Claims Mapping

AD FS sends a SAML authentication response with confirmation to the service provider on the successful authentication of a user. For valid user authentication, user data must be mapped to SAML response items.

To do this:

  1. In the console tree, under AD FS, click Relying Party Trusts. Right-click the trust you have created earlier, and then click Edit Claim Issuance Policy.
  2. In the window that opens, click Add Rule.
  3. From the drop-down list of claim rule templates, select Send Claims Using a Custom Rule, and then click Next.
  4. On the Configure Rule page, under Claim rule name, type the display name for this rule, «CustomRule1», for example. Under Custom rule, specify the claim rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/windowsaccountname"),         query = ";sAMAccountName;{0}", param = c.Value);

Click Finish.

  1. Click Add Rule again to enter another rule.
  2. From the drop-down list of claim rule templates, select Send Claims Using a Custom Rule, and then click Next.
  3. Under Claim rule name, specify the display name for this rule, «CustomRule2», for example.  Under Custom rule, specify the claim rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

Click Finish.

  1. Click OK to save the rule.