Articles in this section

How to setup SSO with ADFS

About this article

This article describes how an organization can set up SSO on ADFS utilizing the SAML2 protocol by adding a new relying party trust to the Federation Service.

 

Prerequisites

 
  • Membership in Administrators, or equivalent, is the minimum required to complete this procedure

 

Manual Setup

If you wish to create the Relying party by using the ADFS Management to manually configure the settings, perform the following procedure on a federation server. Utilize the Templafy metadata in the table below.

 

 

Using Powershell

The Add-AdfsRelyingPartyTrust cmdlet adds a new relying party trust to the Federation Service. You can specify a relying party trust manually, or you can provide a federation metadata document to bootstrap initial configuration. Templafy metadata can be found below.

 Add-ADFSRelyingPartyTrust -Name "Templafy" -MetadataURL "Paste Metadata URL from the below table"

 

Templafy Metadata

Metadata URL

West Europe (Production 0):
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services

West Europe (Production 1):
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services

East US:
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services

East Australia:
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services

Canada:
https://templafyprod4.auth.templafy.com/auth/saml2/auth-services

West Europe (Production 5):

https://templafyprod5.auth.templafy.com/auth/saml2/auth-services

Identifier (Entity ID) 

https://auth.templafy.com/auth/saml2/auth-services

Reply URL (Assertion Consumption Service)

West Europe (Production 0):
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services/Acs

West Europe (Production 1):
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services/Acs

East US:
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services/Acs

East Australia:
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services/Acs

Canada:
https://templafyprod4.auth.templafy.com/auth/saml2/auth-services/Acs

West Europe (Production 5):
https://templafyprod5.auth.templafy.com/auth/saml2/auth-services/Acs

Sign on URL

https://CLIENTSUBDOMAIN.hive.templafy.com or https://CLIENTSUBDOMAIN.templafy.com

Hash function to use for digital signing at IdP

SHA-256

User Identifier

mail

 

 
  • Once the relying party has been set up, provide the metadata.xml file to your Templafy Implementation Partner.

 

ADFS Claim Setup

The following will send all ADFS-supported claims to Templafy, including all Membership Groups.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = (   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.templafy.com/2016/06/identity/claims/department", "http://schemas.templafy.com/2016/06/identity/claims/city", "http://schemas.templafy.com/2016/06/identity/claims/jobtitle", "http://schemas.templafy.com/2016/06/identity/claims/facsimilenumber", "http://schemas.templafy.com/2016/06/identity/claims/phonenumber","http://schemas.templafy.com/2016/06/identity/claims/displayname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,mail,givenName,sn,postalCode,st,co,mobile,department,l,title,facsimileTelephoneNumber,telephoneNumber,displayname,tokenGroups ;{0}", param = c.Value);

 

 
  • Review the snippet to ensure the claims match the respective attributes in your ADFS

 

Additional custom claims may also be configured within the SAML2 protocol.

 

 

ADFS Example Settings - Windows Server 2012 R2

Below are examples of a Windows Server 2012 with Templafy configured as a Relying Party Trust.

  • Federation Service properties
    1._ADFS_-_Service_Properties.png

 

  • Trust Relationships - Monitoring
    2._ADFS_-_Trust_Releationships_-_Monitoring.png
 
  • If your ADFS server does not support TLS 1.2, you won't be able to Test the URL.

 

  • Trust Relationships - Identifiers
    3._ADFS_-_Trust_Releationships_-_Identifiers.png

 

  • Trust Relationships - Encryption
    4._ADFS_-_Trust_Releationships_-_Encryption.png

 

  • Trust Relationships - Signature
    5._ADFS_-_Trust_Releationships_-_Signature.png

 

  • Trust Relationships - Endpoints
    6._ADFS_-_Trust_Releationships_-_Endpoints.png

 

  • Trust Relationships - Advanced / Hash algorithm
    7._ADFS_-_Trust_Releationships_-_Advanced.png

 

  • Trust Relationships - Claim Rules
    8._ADFS_-_Trust_Releationships_-_Claim_Rules.png

 

  • Trust Relationships - Basic Claim Rules (LDAP attribute)
    9._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Basic_as_LDAP.png

 

  • Trust Relationships - Custom Claim Rules (Custom Rule Language)
    10._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Extended_Custom_Rule.png

 

  • Trust Relationships - Issuance Authorization Rules
    11._ADFS_-_Trust_Releationships_-_Claim_Rules_-_Permit_Access_to_All_Users.png

 

Error: "401: Server Error" or Login Screen Popup

If you see one of the below images, the ADFS connection between your organization and Templafy is configured incorrectly.

 

Solution

Add "https://sts.yourdomain.com" as a Trusted Local Intranet site in Internet Options on the local machines that are experiencing the issue.

To add via GPO:

  1. Open Group Policy Editor
  2. Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page
  3. Open Site to zone Assignment List
  4. Change the setting to Enabled
  5. Click Show
  6. Add "https://sts.yourdomain.com" or "https://*.yourdomain.com" and set Value to 1
  7. Click OK

 

 

Related articles

 

 

 

sso setup sso single sign on
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.