About this article
This article describes how an organization can set up SSO on ADFS utilising SAML2 protocol by adding a new relying party trust to the Federation Service. Please find all information below needed to proceed with the setup. Sections in this article:
- Client IT tasks
- Templafy tasks
- Client IT SAML2 setup guide
- ADFS claim setup
- ADFS example settings - Windows Server 2012 R2
Prerequisites
|
Client IT tasks
- Set up a relying party in ADFS using Templafy metadata
- Download Templafy metadata
- Provide client metadata to Templafy (usually done via a download link to metadata.xml file)
- Setup extended claims rules (optional)
- Link to extended claims rules
Templafy tasks
Add following to the Templafy configuration:
- Client signing certificate
- SSO URL
- EntityID
Client IT SAML2 setup guide
Below is the necessary information to setup Templafy as a relying party in your ADFS:
Templafy One |
|
Metadata URL |
https://app.templafy.com/AuthServices |
Identifier (Entity ID) |
https://app.templafy.com/AuthServices |
Reply URL (Assertion Consumption Service) |
https://app.templafy.com/AuthServices/Acs |
Sign on URL |
https://CLIENTSUBDOMAIN.templafy.com |
Hash function to use for digital signing at IdP |
SHA-256 |
User Identifier |
Manual Setup
If you wish to create the Relying party by using the AD FS Management to manually configure the settings, perform the following procedure on a federation server: Create a relying party trust
Using Powershell
The Add-AdfsRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service. You can specify a relying party trust manually, or you can provide a federation metadata document to bootstrap initial configuration.
Add-ADFSRelyingPartyTrust -Name "Templafy" -MetadataURL "Paste Metadata URL from the above table"
ADFS claim setup
ADFS Claim Setup with all Membership Groups as claims. This will send all ADFS-supported claims to Templafy and can safely be copy/paste to a Custom Claim Rule.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ( "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.templafy.com/2016/06/identity/claims/department", "http://schemas.templafy.com/2016/06/identity/claims/city", "http://schemas.templafy.com/2016/06/identity/claims/jobtitle", "http://schemas.templafy.com/2016/06/identity/claims/facsimilenumber", "http://schemas.templafy.com/2016/06/identity/claims/phonenumber","http://schemas.templafy.com/2016/06/identity/claims/displayname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,mail,givenName,sn,postalCode,st,co,mobile,department,l,title,facsimileTelephoneNumber,telephoneNumber,displayname,tokenGroups ;{0}", param = c.Value);
|
ADFS example settings - Windows Server 2012 R2
Here are examples of a Windows Server 2012 with Templafy configured as a Relying Party Trust.
- Federation Service properties
- Trust Relationships - Monitoring
Note: Hive requires TLS1.2. If your ADFS server does not support TLS1.2, you won't be able to Test the URL
- Trust Relationships - Identifiers
- Trust Relationships - Encryption
- Trust Relationships - Signature
- Trust Relationships - Endpoints
- Trust Relationships - Advanced / Hash algorithm
- Trust Relationships - Claim Rules
- Trust Relationships - Basic Claim Rules (LDAP attribute)
- Trust Relationships - Extended Claim Rules (Custom Rule Language)
- OBS! See linked article for full example of Extended Claim Rules: Supported claims and claim rules
- Trust Relationships - Issuance Authorization Rules
Related articles
Comments
0 comments
Article is closed for comments.