SSO Microsoft ADFS - Active Directory Federation Services (SAML 2)

Background information

The following document shows the steps for setting up Single Sign-On between your ADFS service and LUCCA solutions (SAML 2.0 protocol).

> The following example uses ADFS 3.0.

Prerequisites

  • Subscription to the LUCCA SSO option
  • ADFS role installed

> The ADFS server must be attached to the Active Directory domain.

> An SSL certificate will be used for communication between the ADFS server, LUCCA and the proxy servers. It will allow federation servers to sign tokens issued to users (users will have to trust this certificate).

Step 1: Create a relying party trust, i.e. LUCCA

From the ADFS Management Console, in the Actions column at the right, click on Add Relying Party Trust

mstsc_2019-02-08_17-20-37.png

Follow the steps in the Add Relying Party Trust Wizard:

- Select Data Source: select the first option Import data about the relying party published online or on a local network and indicate the metadata URL that the LUCCA teams gave you.

mstsc_2019-02-08_17-26-46.png

- Specify Display Name: you can customise the pre-filled value: this is the name given to your ADFS configuration for LUCCA

- Choose Issuance Authorization Rules: select Permit all users to access this relying party.

mstsc_2019-02-08_17-28-11.png

Next, a summary of information retrieved from LUCCA appears (identifier, endpoint, signing certificate, encryption certificate, etc.).

Step 2: Send an AD attribute, unique identifier

By default, the Edit Claim Rules interface is brought up by the wizard at the end of step 1. If not, click on Edit Claim Rules from the configuration you just created for LUCCA.

mstsc_2019-02-08_17-33-33.png

From the Issuance Transform Rules tab, click on Add Rule...

mstsc_2019-02-08_17-52-10.png

Select Send LDAP Attributes as Claims

mstsc_2019-02-08_17-41-41.png

After entering a rule name, select the corresponding attribute store (in this case, Active Directory).

Next, select a single LDAP Attribute to send in the token issued by your ADFS service: this is a unique identifier (email address or login name) that allows LUCCA to match the professional email address/personal email address fields or the login field from user files.

Last, for the Outgoing Claim Type, select Name ID.

mstsc_2019-02-08_17-47-13.png

Step 3: Set up LUCCA

Using our online form, please send the following information:

  • metadata for your ADFS service
  • the LUCCA field corresponding to the AD attribute sent in the token (step 2): email address or login name

The public URL for accessing your ADFS metadata is preferred. It is generally in the following format:

https://adfs.company.com/FederationMetadata/2007-06/FederationMetadata.xml
This way, if the certificate linked to the ADFS is renewed, our authentication service can stay up to date. However, if you decide not to make your ADFS (and consequently the metadata) public, you can send us the corresponding XML metadata file.

 

Note: if the ADFS certificate renews, you will need to send us the new certificate first using our online form in order to avoid any service interruption.

Page content

Was this article helpful?
0 out of 0 found this helpful