Configure SAML single sign-on with ADFS

 

The SAML single sign-on with ADFS allows employees to access and contribute to your platform site without having to register or log in manually to the platform.

Before you start

Before you configure SAML single sign-on with ADFS, there are a few things to know:

1. Create a Relying Party Trust

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. Under Actions, click Add Relying Party Trust.

  3. On the Select Data Source page, select Import data about the relying party from a file.

  4. Click Browse to locate the metadata.xml file you downloaded, then click Next.

  5. On the Choose Issuance Authorization Rules page, select Permit all users to access this relaying party, and then click Next.

  6. Click Finish to create the Relying Party Trust.

Note: If you want to limit access to specific groups of users, select Deny all users access to this relying party and whitelist the users or groups of users that should have access.

Tip: For more information about creating a Relying Party Trust please see Microsoft's documentation on creating a Relying Party Trust.

2. Add a Rule to Send LDAP Attributes as Claims

  1. In Server Manager, click Tools, and then select AD FS Management.

  2. In the console tree, under AD FS, click Claims Provider Trusts.

  3. Right-click the newly created trust, and then click Edit Claim Rules.

  4. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard.

  5. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.

  6. For Claim rule name, enter "Map attributes".
  7. Configure the new claim rule to map the attributes from “E-Mail-Addresses” to “E-Mail Address”.

  8. Click Finish.

  9. In the Edit Claim Rules dialog box, click OK to save the rule.

Note: You also have the option to add attributes for Given Name or Surname by adding them below “E-Mail-Addresses“ and map them to, respectively, Given Name or Surname claim types.

Tip: For more information about creating a Claim Rule please see Microsoft's documentation on creating a Rule to Send LDAP Attributes as Claims.

3. Add a second Rule: Transforming incoming claims

  1. Right-click the newly created trust again, and then click Edit Claim Rules.

  2. In the Edit Claim Rules dialog box, under Acceptance Transform Rules click Add Rule to start the rule wizard.

  3. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next.

  4. On the Configure Rule page, under Claim rule name, type “Convert Email Address to SAML format“.

  5. In Incoming claim type, select E-mail Address.

  6. In Outgoing claim type, select Name ID.

  7. Set the Outgoing name ID format to Email.

  8. Select Pass through all claim values.

  9. Click Finish.

  10. In the Edit Claim Rules dialog box, click OK to save the rule.

Tip: For more information about Transform an Incoming Claim please see Microsoft's documentation on create a Rule to Transform an Incoming Claim.

See also