Articles in this section

See more

How to setup SSO using SAML2 / ADFS

Avatar
Mads Madsen
Updated
Follow

Please find all information below needed to setup SSO via SAML2

Client IT tasks

  • Setup a relying party in ADFS using Templafy metadata
  • Provide client metadata to Templafy (usually done via a download link to metadata.xml file)
  • Setup extended claims rules (optional)

 

Templafy tasks

Add following to the Templafy configuration

  • client signing certificate
  • SSO URL
  • EntityID

 

Client IT SAML2 setup guide

Below is the necessary information to setup Templafy as a relying party in your ADFS.

 

Metadata

 

https://app.templafy.com/AuthServices

Service Provider entity ID (Audiences)

 

https://app.templafy.com/AuthServices

Assertion Consumption Service (ACS)

 

https://app.templafy.com/AuthServices/Acs

URL to trigger SAML federation

 

https://CLIENTSUBDOMAIN.templafy.com

Hash function to use for digital signing at IdP

 

SHA-256

User Identifier

 

E-mail address

 

ADFS Claim Setup with all Membership Groups as claims

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.templafy.com/2016/06/identity/claims/department", "http://schemas.templafy.com/2016/06/identity/claims/city", "http://schemas.templafy.com/2016/06/identity/claims/jobtitle", "http://schemas.templafy.com/2016/06/identity/claims/facsimilenumber", "http://schemas.templafy.com/2016/06/identity/claims/phonenumber", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,mail,givenName,sn,postalCode,st,co,mobile,department,l,title,facsimileTelephoneNumber,telephoneNumber,tokenGroups;{0}", param = c.Value);

This will send all ADFS-Supported claims to Templafy and can safely be copy/paste to a Custom Claim Rule.

OBS! You will not need any other claim rule when using the above.

 

 

ADFS Example settings - Windows Server 2012 R2

Here are examples of a Windows Server 2012 with Templafy configured as a Relying Part Trust.

Federation Service properties
1._ADFS_-_Service_Properties.png

 

Trust Relationships - Monitoring
2._ADFS_-_Trust_Releationships_-_Monitoring.png

 

Trust Relationships - Identifiers
3._ADFS_-_Trust_Releationships_-_Identifiers.png

 

Trust Relationships - Encryption
4._ADFS_-_Trust_Releationships_-_Encryption.png

 

Trust Relationships - Signature
5._ADFS_-_Trust_Releationships_-_Signature.png

 

Trust Relationships - Endpoints
6._ADFS_-_Trust_Releationships_-_Endpoints.png

 

Trust Relationships - Advanced / Hash algorithm
7._ADFS_-_Trust_Releationships_-_Advanced.png

 

Trust Relationships - Claim Rules
8._ADFS_-_Trust_Releationships_-_Claim_Rules.png

 

Trust Relationships - Basic Claim Rules (LDAP attribute)
9._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Basic_as_LDAP.png

 

Trust Relationships - Extended Claim Rules (Custom Rule Language)
OBS! See below article for full example of Extended Claim Rules
https://support.templafy.com/hc/en-us/articles/207724789-Supported-claims-and-claims-rules
10._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Extended_Custom_Rule.png

 

Trust Relationships - Issuance Authorization Rules
11._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Permit_Access_to_All_Users.png

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.