This guide covers SAML 2.0 SSO setup using Windows Server 2012R2 Standard with AD FS 2.0 serving as Identity Provider.
Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article.
When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.
Prerequisites
- WIndows Server 2012 R2 standard
- Active directory domain service installed
- DNS
- Certificate (or self signed certificate for testing purposes)
- AD FS - Active Directory Federation Service role installed
Note: Windows Server 2008 R2 supports AD FS 2.0, Windows Server 2012 supports AD FS 2.1, Windows Server 2012 R2 supports AD FS 3.0. enableHR SSO setup with AD FS 2.0 covered in this guide.
Windows server configuration for enableHR SSO
2. Select "Enter data about the relying party manually".
3. Enter Name, e.g. “enableHR”.
4. Select “AD FS Profile”.
5. Skip token encryption certificate step, it’s not supported by enableHR SSO.
6. Your “Single sign on URL” for AD FS is https://login.enablehr.com/app/saml
Copy it and paste https://login.enablehr.com/app/saml in AD FS wizard as “Relying party SAML 2.0 SSO service URL”
7. Enter your enableHR URL as “Relying party trust identifier”, e.g. “https://login.enablehr.com/app/saml”
Note: Do NOT add slash "/" at the end of identifier, otherwise integration won't work.
8. Select “Permit all users..” if you want to allow all Active Directory users to login to enableHR or “Deny all..” if you want to allow specific users later.
9. Don’t change anything on the next step.
10. Select “Open the Edit Claim rules..”
11. Click ‘Add’ on Claim rules wizard and keep “Select LDAP Attributes as Claims” on first step.
12. Add “Email” rule with E-Mail Address claim and Active Directory as attribute store.
Note: "Email / User ID" as outgoing claim type. You must type it exactly as 'Email / User ID' in the field.
13. Add “Email Name ID” rule with Email Name ID claim, Active Directory as attribute store and 'E-Mail-Addresses ' as LDAP attribute. Note "Name ID" as outgoing claim type. You must select or type it exactly as 'Name ID' in the field.
14. Add “First Name” rule with First Name claim, Active Directory as attribute store and 'Given-Name' as LDAP attribute. Note "First Name" as outgoing claim type. You must type it exactly as 'First Name' in the field.
15. Add “Last Name” rule with Last Name claim, Active Directory as attribute store and 'Surname' as LDAP attribute. Note "Last Name" as outgoing claim type. You must type it exactly as 'Last Name' in the field.
Summary of all rules needed
Claim Rule Name | Attribute Store | LDAP Attribute | Outgoing Claim Type |
Active Directory | E-Mail-Addresses | Email / User ID | |
Email Name ID | Active Directory | E-Mail-Addresses | Name ID |
First Name | Active Directory | Given-Name | First Name |
Last Name | Active Directory | Surname | Last Name |
Mapping attributes from Active Directory with ADFS and SAML
When using SAML login with ADFS, you can pass other values in addition to the authentication values. This article describes how to pass user's custom roles.
These values are defined as Claim Rules in the Relying Party Trust. To edit the Claim Rules, select the Relying Party Trusts folder from AD FS Management, and choose Edit Claim Rules from the Actions sidebar. New rules are added by clicking Add Rule and then selecting a template from the window that pops up.
Roles
Setting the role of a user based on their membership in a group is a two-step process. First, you create a new rule using the Send Group Membership as a Claim template. Second, you modify the definition generated by that rule slightly to create a custom rule that correctly passes the information to Zendesk.
Example
Add “HR User (Branch A)” rule with HR User claim, User's group of "HR User" Outgoing Claim type "Roles" and Outgoing claim value as "HR User (Branch A)".
To create the group membership rule:
Add a new rule and Select Send Group Membership as a Claim for the template.
Locate the group that you wish to map to the role by using the Browse button.
For Outgoing claim type, type Roles. (*Please note - you need to type 'Roles', you can't choose 'Role' from the dropdown)
For Outgoing claim value, use the same value as the SAML Role name configured in enableHR
Click Finish
enableHR SSO configuration
SSO configuration is currently completed by enableHR staff. Please send the XML file FederationMetadata.xml to enableHR
You can find out your XML metadata file from your AD FS server via https://yourserver.yourdomain/FederationMetadata/2007-06/FederationMetadata.xml
Example: https://adtest.enablehr.com.au/FederationMetadata/2007-06/FederationMetadata.xml
Please send the XML file FederationMetadata.xml to your enableHR Project Manager
Additional information
The Federation Server is usually not directly accessible from the Internet, so you need to set up a proxy. Here’s additional information about proxy setup:
https://technet.microsoft.com/en-us/library/dd807055(WS.10).aspx
One thing to ensure is that your ADFS users that will be using SSO with enableHR have an email address populated in Active Directory. If the user already exists in enableHR (they were manually created) and you want that user to use SSO, you should first manually change their username to be their email address otherwise a duplicate user will be created when that user first usees SSO. An example is an employee “Peter Smith” who has an enableHr username (smith2468) You should first manually change his enableHR username from smith2468 to peter.smith@example.com
If using these instructions for Server 2016