How to setup SSO using SAML2 / ADFS

About this article

Please find all information below needed to setup SSO via SAML2. Sections in this article:

Client IT tasks
Templafy tasks
Client IT SAML2 setup guide
ADFS claim setup
ADFS example settings - Windows Server 2012 R2

Prerequisites

Global administrator rights

Client IT tasks

Set up a relying party in ADFS using Templafy metadata
Download Templafy metadata
Provide client metadata to Templafy (usually done via a download link to metadata.xml file)
Setup extended claims rules (optional)
Link to extended claims rules

Templafy tasks

Add following to the Templafy configuration:

Client signing certificate
SSO URL
EntityID

Client IT SAML2 setup guide

Below is the necessary information to setup Templafy as a relying party in your ADFS:

Metadata	https://app.templafy.com/AuthServices
Service Provider entity ID (Audiences)	https://app.templafy.com/AuthServices
Assertion Consumption Service (ACS)	https://app.templafy.com/AuthServices/Acs
URL to trigger SAML federation	https://CLIENTSUBDOMAIN.templafy.com
Hash function to use for digital signing at IdP	SHA-256
User Identifier	E-mail address

ADFS claim setup

ADFS Claim Setup with all Membership Groups as claims. This will send all ADFS-supported claims to Templafy and can safely be copy/paste to a Custom Claim Rule.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.templafy.com/2016/06/identity/claims/department", "http://schemas.templafy.com/2016/06/identity/claims/city", "http://schemas.templafy.com/2016/06/identity/claims/jobtitle", "http://schemas.templafy.com/2016/06/identity/claims/facsimilenumber", "http://schemas.templafy.com/2016/06/identity/claims/phonenumber", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,mail,givenName,sn,postalCode,st,co,mobile,department,l,title,facsimileTelephoneNumber,telephoneNumber,tokenGroups;{0}", param = c.Value);

OBS! You will not need any other claim rule when using the above.

ADFS example settings - Windows Server 2012 R2

Here are examples of a Windows Server 2012 with Templafy configured as a Relying Part Trust.

Federation Service properties

Trust Relationships - Monitoring

Trust Relationships - Identifiers

Trust Relationships - Encryption

Trust Relationships - Signature

Trust Relationships - Endpoints

Trust Relationships - Advanced / Hash algorithm

Trust Relationships - Claim Rules

Trust Relationships - Basic Claim Rules (LDAP attribute)

Trust Relationships - Extended Claim Rules (Custom Rule Language)
OBS! See linked article for full example of Extended Claim Rules: Supported claims and claim rules

Trust Relationships - Issuance Authorization Rules

Articles in this section