Support Central

Search

SAML Single Sign-On (SSO) for Active Directory Federation Service (ADFS)

  • Updated
Overview
 
Security Assertion Markup Language (SAML) stands as an open standard designed for the exchange of authorization data, facilitating seamless Single Sign-On (SSO) access across various applications through a unified authentication process. Gearbox provides SAML-based SSO integration with multiple service providers. This article will guide you through the configuration steps using Active Directory Federation Service (ADFS).
 
Upon activation, users can access their accounts through SSO seamlessly.
 

To use ADFS, You must have the following to complete this setup:

 
  1. Gearbox administrative privileges.
  2. An Active Directory instance where all users have an email address attribute.
  3. A SSL certificate to sign your ADFS login page

 

High-Level Workflow

Setup

1. Login to Gearbox and Click on the User Icon (1) navigate to Settings (2)
 
 
2. In the side bar, scroll down to Integrations (3)
 
 
3. Locate the "SAML Single Sign-On" panel and click on it to reveal the settings (1).
 
 
4. Enable (1) SAML single sign-on, then enter the Sign Sign-On URL (2) and optional metadata URL (3) of your identify provider for Gearbox to contact (these URLs must use HTTPS). Lastly, paste in the full signing certificate (4) from your identity provider and click Save (5).
 
 
5. Once successfully saved, the following information will be provided to assist with setting up the identity provider.
 
6. Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust. In the Select Data Source screen, select the first option, Import data about the relying party published online or on a local network. On the next screen, enter a Display name that you’ll recognise in the future, and any notes you want to make.
 
 
7. On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.
 
 
8. On the next screen, select the Permit all users to access this relying party radio button.
 
 
9. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.
 
10. Once the relying party trust has been created, you can create the claim rules which are required to map user data from active directory to the SAML 2.0 message.
 
 
11. To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
 
 
12. On the next screen, using Active Directory as your attribute store, do the following:
  1. From the LDAP Attribute column, select E-Mail Addresses.
  2. From the Outgoing Claim Type, select E-Mail Address.
  3. From the LDAP Attribute column, select Given-Name.
  4. From the Outgoing Claim Type, enter First Name.
  5. From the LDAP Attribute column, select Surname.
  6. From the Outgoing Claim Type, enter Last Name.
  7. Click on OK to save the new rule.
 
 
13. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
 
 
14. On the next screen:
  1. Select E-mail Address as the Incoming Claim Type.
  2. For Outgoing Claim Type, select Name ID.
  3. For Outgoing Name ID Format, select Email.
  4. Leave the rule to the default of Pass through all claim values.
  5. Click OK to create the claim rule, and then OK again to finish creating rules
 
 
15.Navigate to ADFS certificates (1), click on token-signing certificate (2) to view certificate (3).
 
16. Copy certificate to file.
 
17. Choose Base-6 encoded X.509 (.CER)
 
18. Copy the contents of the saved file and paste it to Gearbox’s SAML full signing certificate.
 
 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.