Articles in this section

How to setup SSO using SAML2 / ADFS

Avatar
Mads Vist
Updated
Follow

About this article

This article describes how an organization can set up SSO on ADFS utilising SAML2 protocol by adding a new relying party trust to the Federation Service. Please find all information below needed to proceed with the setup. Sections in this article:

 

Prerequisites

 
  • Membership in Administrators, or equivalent, is the minimum required to complete this procedure

 

Client IT tasks

 

Templafy tasks

Add following to the Templafy configuration:

  • Client signing certificate
  • SSO URL
  • EntityID

 

Client IT SAML2 setup guide

Below is the necessary information to setup Templafy as a relying party in your ADFS:

 

Templafy One

Metadata URL

 https://app.templafy.com/AuthServices

Identifier (Entity ID)

https://app.templafy.com/AuthServices

Reply URL (Assertion Consumption Service)

 https://app.templafy.com/AuthServices/Acs

Sign on URL 

 https://CLIENTSUBDOMAIN.templafy.com

Hash function to use for digital signing at IdP

 SHA-256

User Identifier

 mail

 

Templafy Hive

Metadata URL

Prod0:
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services

West Europe:
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services

East US:
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services

East Australia:
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services

Identifier (Entity ID) 

https://auth.templafy.com/auth/saml2/auth-services

Reply URL (Assertion Consumption Service)

Prod0:
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services/Acs

West Europe:
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services/Acs

East US:
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services/Acs

East Australia:
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services/Acs

Sign on URL

 https://CLIENTSUBDOMAIN.hive.templafy.com or https://CLIENTSUBDOMAIN.templafy.com

Hash function to use for digital signing at IdP

 SHA-256

User Identifier

 mail

 

Manual Setup

If you wish to create the Relying party by using the AD FS Management to manually configure the settings, perform the following procedure on a federation server: Create a relying party trust 

 

Using Powershell

The Add-AdfsRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service. You can specify a relying party trust manually, or you can provide a federation metadata document to bootstrap initial configuration. 

 Add-ADFSRelyingPartyTrust -Name "Templafy" -MetadataURL "Paste Metadata URL from the above table"

 

ADFS claim setup

ADFS Claim Setup with all Membership Groups as claims. This will send all ADFS-supported claims to Templafy and can safely be copy/paste to a Custom Claim Rule.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.templafy.com/2016/06/identity/claims/department", "http://schemas.templafy.com/2016/06/identity/claims/city", "http://schemas.templafy.com/2016/06/identity/claims/jobtitle", "http://schemas.templafy.com/2016/06/identity/claims/facsimilenumber", "http://schemas.templafy.com/2016/06/identity/claims/phonenumber", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,mail,givenName,sn,postalCode,st,co,mobile,department,l,title,facsimileTelephoneNumber,telephoneNumber,tokenGroups;{0}", param = c.Value);

 

 
  • OBS! You will not need any other claim rule when using the above.
  • Review the snippet to ensure the claims match the respective attributes in your ADFS

 

 

ADFS example settings - Windows Server 2012 R2

Here are examples of a Windows Server 2012 with Templafy configured as a Relying Party Trust.

  • Federation Service properties
    1._ADFS_-_Service_Properties.png

 

  • Trust Relationships - Monitoring
    2._ADFS_-_Trust_Releationships_-_Monitoring.png

 

  • Trust Relationships - Identifiers
    3._ADFS_-_Trust_Releationships_-_Identifiers.png

 

  • Trust Relationships - Encryption
    4._ADFS_-_Trust_Releationships_-_Encryption.png

 

  • Trust Relationships - Signature
    5._ADFS_-_Trust_Releationships_-_Signature.png

 

  • Trust Relationships - Endpoints
    6._ADFS_-_Trust_Releationships_-_Endpoints.png

 

  • Trust Relationships - Advanced / Hash algorithm
    7._ADFS_-_Trust_Releationships_-_Advanced.png

 

  • Trust Relationships - Claim Rules
    8._ADFS_-_Trust_Releationships_-_Claim_Rules.png

 

  • Trust Relationships - Basic Claim Rules (LDAP attribute)
    9._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Basic_as_LDAP.png

 

  • Trust Relationships - Extended Claim Rules (Custom Rule Language)

  • OBS! See linked article for full example of Extended Claim Rules: Supported claims and claim rules
    10._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Extended_Custom_Rule.png

 

  • Trust Relationships - Issuance Authorization Rules
    11._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Permit_Access_to_All_Users.png

 

Related articles

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.