Back to Main Menu

Setting up single sign-on (SSO) using Active Directory with ADFS and SAML

Brightly Assetic Cloud Platform supports single sign-on (SSO) logins through SAML 2.0. There are many different SAML 2.0 identity provider (IdP) available in the market. One of them is a self-hosted Active Directory Federation Services (ADFS) server which is provided by Microsoft as a standard role for Windows Server. ADFS provides a web login using existing Active Directory credentials.

Requirements

To use ADFS to log into Brightly Assetic Cloud Platform, you need the following components:

  • An Active Directory instance where users have an email address attribute.
  • A server running Microsoft Server 2012 or above. This guide uses screenshots from Server 2012R2.
  • You have a publicly trusted certificate for SSL Server authentication

 

You need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article

When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.

 

Step 1 - Adding a Relying Party Trust

1.1. Open Server Manager, select Tools, AD FS Management

 

 

1.2. Expand Trust Relationships, select Relying Party Trusts.

 

 

1.3. Select Add Relying Party Trust to launch the wizard

 

1.4. Select Enter data about the relying party manually

 

 

1.5. Enter a Display Name that you will recognise in the future and any notes. 

image__3_.png

 

1.6. Select AD FS Profile

 

1.7. This is the certificate used to sign SAML response messages. For this guide, we will use the primary token signing certificate (the default). 

 

1.8. Select Enable support for the SAML 2.0 WebSSO protocol and enter your environment SSO service URL in the following format: https://<client-site>.assetic.net/Account/SAMLLogin

This value should match the 'SAML Assertion Consumer Service URL' value provided under Identity Provider section in Assetic Cloud Platform (see example in Step 4.5).

 

1.9. Add the Relying Party Trust Identifier in the following format: https://<client-site>.assetic.net/

This value should match the 'Audience URI (SP Entity ID)' value provided under Identity Provider section in Assetic Cloud Platform (see example in Step 4.5).

 

 

1.10. You may configure multi-factor authentication but this is beyond the scope of this guide. 

 

 

1.11. Select Permit all users to access this relying party. You can fine-tune the access control policy after the wizard. Please refer to Microsoft KB article for more details.

 

1.12. Check Open the edit claims rule dialog option and Close the wizard.

Step 2 - Creating claim rules

When ADFS sends SAML response messages, it needs to include three additional claims in the message. They are configured using Claim Rules. To apply a different transformation to the claims, please refer to Microsoft KB article.

 

2.1. Click Add Rule

 

 

2.2. Select Send LDAP Attributes as Claims

 

 

2.3. Enter a Claim rule name, e.g. Send Full Name & Username
  Select Attribute Store: Active Directory.
  Select LDAP attribute Surname, TYPE Outgoing Claim Lastname
  Select LDAP attribute Given-Name, TYPE Outgoing Claim Firstname
  Select LDAP attribute E-Mail-Address, SELECT from the drop-down menu Name ID

 upload.png

 

2.4. Click OK to complete.

 

 

Step 3 - Exporting signing certificate

In step 1.7, we left the signing certificate configuration as the default. This means ADFS will use the primary token signing certificate to sign the messaged. This certificate needs to be exported and used for configuring the SSO settings in Assetic Cloud Platform in Step 4.

 

3.1. Open AD FS Manager, expand Service & select Certificates

 

 

3.2. Right-click the Token-signing certificate and select View Certificate

 

3.3. Select the Details tab, click Copy to File

 

 

3.4. Click Next

 

 

3.5. Select Base-64 encoded X.509 and Click Next.

 

 

3.6. Enter a path and file name on the local machine and then Click Next and Finish

  

 

3.7. Locate the .cer file in Windows Explorer and then Open the file with Notepad

 

 

3.8. Select all the text between the BEGIN & END CERTIFICATE markers and Copy the value.

Step 4 - Configuring Assetic Cloud Platform 

After setting up ADFS, you need to configure Brightly Assetic Cloud Platform to authenticate using SAML. 

 

4.1. Launch Assetic Cloud Platform in a web browser and then log in with an account with Admin role.mceclip0.png

 

4.2. Once signed in, click Home, Admin

mceclip1.png

 

4.3. Click Dashboard, System, User Management

mceclip2.png

 

4.4. Click Identity Provider and click Edit button.

mceclip3.png

 

4.5. Paste the certificate copied from step 3.8 into the X.509 Certificate text area and complete the remaining fields on the Identity Provider page as follows then click Save.

  • Identity Provider Single Sign-On URLhttps://adfs-host/adfs/ls/
  • Identity Provider Issuerhttp://adfs-host/adfs/services/trust
  • IsEnabled: Checked  

3.32.PNG

 

4.6. Confirm the Successfully saved message appears at the bottom of the page.

 

 

4.7 Navigate to User Management.

mceclip4.png

 

4.8 Click Add New User, create a user with the same email address as a user in Active Directory. Assign them a role and then click Update.

 

4.9. Click on the User Icon in the top right of the page to Logout.

mceclip5.png

 

4.10. Click the Single Sign-On link at the bottom of the Assetic Cloud Platform login page

mceclip6.png

 

4.11. You should be redirected to ADFS login page. Enter the credentials of a domain user (in your corporate domain) to Sign in

 

 

4.12. Once authenticated, you should be redirected to the [client-site].assetic.net home page

mceclip7.png