Documentation

Single Sign-On: Setting up SSO using ADFS and SAML

Abstract

SummaryStep-by-step instructions for implementing SSO via ADFS (Active Directory Federation Services) and SAML, including creating/configuring RPT (Relying Party Trust) in ADFS, creating claims rules, getting the signing certificate, and sending the configuration information to Alooma.

Implementing SSO via ADFS and SAML is a four step process:

  1. Create and configure an RPT in ADFS.

  2. Create claims rules in ADFS.

  3. Get the signing certificate.

  4. Send configuration information to Alooma (support@alooma.com).

Note

Before you get started, make sure you have ADFS installed on Microsoft Server 2008 or 2012 (this guide references Server 2012R2, but the steps are similar for other versions). See this Microsoft KB article for help with deploying and configuring ADFS.

Step 1: Create and configure a Relying Party Trust in ADFS

The connection between ADFS and Alooma is defined using an RPT. Follow these steps to configure a new RPT.

  1. Start the configuration wizard by selecting the Relying Party Trust folder from the AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar.

    addrpt01.png
  2. The Add Relying Party Trust Wizard opens in a new window. In the Welcome page, click Start.

  3. In the Select Data Source page, select Enter Data About the Party Manually and click Next.

  4. On the next page, enter a Display name that will help you identify this trust, for example “Alooma”. Feel free to add any optional notes. Click Next.

  5. In the Choose Profile page, select AD FS profile and click Next.

  6. Optionally, in the Configure Certificate page, if you have a signing certificate choose your certificate.

  7. On the Configure URL page:

    1. Check the Enable Support for the SAML 2.0 WebSSO protocol box.

    2. Enter the service URL. The format is: https://app.alooma.com/rest/login/saml/<your-provider-id>.  Alooma uses the value you replace <your-provider-id> with to uniquely identify the customer, so enter something that will make sense to Alooma support. Take a note of the value you enter here as we’ll need this later. Please use letters, digits, and underscores only.

    3. Click Next.

  8. On the Configure Identifiers page, add https://app.alooma.com to the list of Relying party trust identifiers (also known as the Identity Provider Issuer URL) and then click Next.

  9. At this time you may configure MFA if needed.

  10. On the Choose Issuance Authorization Rules page, select the Permit all users to access this relying party option. Click Next.

  11. On the Ready to Add Trust page, review the settings and click Next.

    ssorptwizardend.png
  12. On the Finish page, make sure the Open the Edit Claim Rules dialog checkbox is selected, and click Close to close the wizard and open the Claim Rules editor.

Step 2: Create claims rules in ADFS

Now that the RPT has been created, you need to create the claim rules and update the RPT with some minor changes. You will create two rules:

  • One rule for the Claims Attributes from LDAP, Email, and Email Address.

  • One rule to transform the Email Address to the mandatory Name ID (used as ident by Alooma).

  1. Click Add Rule… to create the first rule.

    ssorules01.png
  2. From the Claim rule template drop down, select Send LDAP Attributes as Claims and click Next.

  3. On the Configure Claim Rule page:

    1. Enter email as the rule name.

    2. From the Attribute store drop down select Active Directory.

    3. Define the first mapping:

      1. In the LDAP Attribute column, select E-Mail Addresses.

      2. In the Outgoing Claim Type, select E-Mail Address.

    4. Define the second mapping:

      • In the LDAP Attribute column, select E-Mail Addresses.

      • In the Outgoing Claim Type, select email.

    5. Click Finish to exit the claim rule wizard.

  4. Repeat Step 1 to add the second rule.

  5. From the Claim rule template drop down, select Transform an Incoming Claim and click Next.

  6. On the Configure Claim Rule page:

    • Enter email transform as the rule name.

    • From the Incoming claim type drop down select E-Mail Address.

    • From the Outgoing claim type drop down select Name ID.

    • From the Outgoing name ID format drop down select Email.

    • Click Finish to exit the claim rule wizard.

  7. The Edit Claim Rules for Alooma dialog should now look like this:

    ssoeditclaimrules.png
  8. Click OK to close the claim rules editor.

Step 3: Get the signing certificate

If you don’t already have the signing certificate used by ADFS, you can export it by running the following commands in Powershell:

Copy
$certRefs=Get-AdfsCertificate -CertificateType Token-Signing
$certBytes=$certRefs[0].Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes("c:\temp\foo.cer", $certBytes)

See this article for details.

The foo.cer certificate created in this way is in binary format, but it needs to be in base64 format. You can use the following openssl command to convert it:

Copy
openssl x509 -inform DER -in foo.cer -out foo.crt
Step 4: Send configuration information to Alooma

Send Alooma (support@alooma.com) the following two pieces of information:

  • The callback URL, which is the Relying Party service URL entered in Step 1.7.

  • The signing certificate in base64, obtained in Step 3.

Search results

    No results found