AD FS 2.0 SAML Configuration

Last edited:

SAML Authentication in RFPIO

RFPIO uses the secure and widely adopted industry standard Security Assertion Markup Language 2.0 (SAML 2.0) and supports SAML Authentication as an add-on feature.

Our SSO implementation integrates easily with any large identity provider that supports SAML 2.0.

Configuration of RFPIO in AD FS

To configure RFPIO in AD FS, you must set up the AD FS connection with your RFPIO instance. The connection between AD FS and RFPIO is defined using a Relying Party Trust (RPT).

The steps involved in configuring RFPIO in AD FS are as follows:

1. Adding a Relying Party Trust

To add a relying party trust, you can follow the steps below:

  1. From AD FS section in the left navigation pane, Relying Party Trusts.
  2. From the Actions section in the left navigation bar, click Add Relying Party Trust…

mceclip0.png 

Note: Alternatively, you can right-click Relying Party Trusts from the left navigation bar and select Add Relying Party Trust.

mceclip1.png

  1. In the Add Relying Party Trust WizardWelcome screen, select Claims Aware and click Start.

The Select Data Source screen will be displayed.

mceclip2.png  

  1. Select Enter data about the relying party manually and click Next.

The Specify Display Name screen will be displayed. 

  1. Enter a Display name- RFPIO that you will recognize in the future.
  2. Enter any required notes. 

mceclip3.png    

  1. Click Next. The Configure Certificate screen will be displayed.

mceclip4.png  

  1. Click Next.
  2. The Configure URL screen will be displayed. Select the check-box Enable Support for the SAML 2.0 WebSSO protocol.
  3. In the Relying Party SAML 2.0 SSO service URL, enter https://app.rfpio.com/rfpserver/login/handle-saml-response/<DefaultRelayState>

mceclip5.png  

Note: Replace Default Relay State with the Default Relay State value in RFPIO > Organization Settings > SECURITY > SSO.

mceclip6.png        

  1. Click Next. The Configure Identifiers page will be displayed.
  2. In the Relying party trust identifiers field, enter https://www.rfpio.com and click Add.

The added value will be displayed as shown below:

mceclip7.png  

  1. Click Next. The Choose Access Control Policy page will be displayed.

 mceclip8.png 

  1. Select Permit everyone and click

The Ready to Add Trust page will be displayed.

  1. Click Next.

mceclip9.png 

  1. The Finish page will be displayed. Select the check-box associated with Configure claim issuance policy for this application.

mceclip10.png  

  1. Click Close. The newly created relying party trusts will be displayed as shown below:

mceclip11.png 

 

2. Creating Claim Issuance Policy

Once the relying party trust has been created, you can configure the claim issuance policy.

To create a new rule, you can follow the steps below:

  1. In the AD FS page, click on the newly created Relying Party Trusts, example: RFPIO.
  2. In the right navigation pane, RFPIO section will be displayed. Click on Edit Claim Issuance Policy.

mceclip12.png

  1. The Edit Claim Issuance Policy for RFPIO pop-up will be displayed. Click Add Rule.

mceclip13.png  

  1. The Select Rule Template page will be displayed. Create a Send LDAP Attributes as Claims

mceclip14.png 

  1. Click Next. The Configure Rule page will be displayed.
  2. From the Attribute store drop-down, select Active Directory
  3. In the Mapping of LDAP attributes to outgoing claim types field, provide the following values: 

LDAP Attribute (Select or Type to add more)

Outgoing Claim Type (Select or Type to add more)

Given-Name

first_name

Surname

last_name

State-Or-Province-Name

location

Telephone-Number

phone

Email-Address

Name ID

Title

job_title

 

  1. Click Finish once the values are added.

mceclip15.png 

  1. The Edit Claim Issuance Policy for RFPIO page will be displayed. Click Apply and then OK.

 mceclip16.png

 

3. SAML Assertion Consumer Endpoints

To add SAML assertion end points, you can follow the steps below:

  1. From the AD FS page, select the Relying Party Trust name, right-click and select Properties.

mceclip42.png 

  1. The RFPIO Properties pop-up will be displayed. Select Endpoints.

mceclip43.png  

  1. Click Add SAML.

 mceclip44.png 

  1. From the Binding drop-down options, select POST.
  2. Select the Index value as 1.
  3. In the Trusted URL field, enter: https://app.rfpio.com/rfpserver/login/handle-saml-response

mceclip45.png 

Note: Ensure the Default value is Yes for the index 0

mceclip46.png 

7. Click Apply and then OK.

4. Adding Custom Role in the Claim Issuance Policy (Optional)

Prerequisite: A new LDAP attribute has to be created prior to mapping custom roles in the Claim Issuance policy. 

To add a custom role in the Claim Insurance Policy, you can follow the steps below: 

  1. From the AD FS page, click on the Relying Party Trust name and then click Edit Claim Issuance Policy from the right navigation pane.

mceclip34.png 

  1. The Edit Claim Issuance Policy for RFPIO page will be displayed. Click Edit Rule.

mceclip35.png 

  1. Add the below value in the fields: 

LDAP Attribute (Select or Type to add more)

Outgoing Claim Type (Select or Type to add more)

rfpiorole

role

mceclip36.png  

  1. Click OK.
  2. The Edit Claim Issuance Policy for RFPIO page will be displayed. Click Apply and then click OK.

mceclip37.png

 

5. Creating New Attribute (Optional)

Using this feature, you can create custom user roles. 

Prerequisite: Users with administrator privilege can only perform these operations. 

To create a new attribute, you can follow the steps below:

  1. Click mceclip17.png+ R in your keyboard.

mceclip18.png 

  1. Type MMC and click
  2. The Console1 – [Console Root] pop-up will be displayed. Click File and select Add/Remove Snap-in.

mceclip19.png  

  1. The Add or Remove Snap-ins pop-up will be displayed. Select Active Directory Schema from Available snap-ins section and click Add.

mceclip20.png 

  1. Click OK.

mceclip21.png

  1. From the left navigation pane, click Active Directory Domains and Trusts > Attributes > right click and select Create Attribute.

mceclip22.png 

  1. The Schema Object Creation pop-up will be displayed. Click Continue.

mceclip23.png 

  1. The Create New Attribute pop-up will be displayed. Provide values as given below:

Common Name

rfpio_user_role

LDAP Display Name

rfpio_user_role

Unique X500 Object ID

Steps to Generate Object ID is described from step 9.

Syntax

Unicode String (Select from the drop-down)

 

Generating Object ID using VBScript (Microsoft Link)

  1. Open the following link in any web browser, copy the VB script code, and paste into Notepad.

http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06 

  1. Save the notepad file as "OIDGen.vbs" (enclosed with double quotes, else it will be suffixed with .txt after .vbs) name on the C: drive.
  2. Open command prompt and run the following script:

Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs 

mceclip24.png 

  1. Copy the OID string (dot separated numeric string) and paste into Unique X500 Object ID field.

mceclip25.png 

  1. Click OK.
  2. Click Classes from the left navigation pane.
  3. Select User, right-click and select Properties.

mceclip26.png

  1. The user Properties pop-up will be displayed. Click Attributes and click Add.

mceclip27.png 

  1. The Select Schema Object pop-up will be displayed. Select the newly created attribute and click OK.

mceclip28.png 

  1. The selected option will be displayed in User Properties - Optional Click Apply and then OK.
  2. Open Active Directory Users and Computers.
  3. By default, Users will be selected. Click ADFS User, right-click and select Properties.

mceclip29.png

Note: Only Administrators can make these changes.

mceclip30.png 

  1. The ADFS User Properties pop-up will be displayed. Click Attribute Editor and scroll down to the rfpiorole.
  2. Select rfpiorole and click Edit.

mceclip31.png 

  1. Specify the role as Manager and click OK.

mceclip32.png 

  1. The value will be updated in the Attributes section. Click Apply and then OK.

mceclip33.png 

  1. Close the Active Directory Users and Computers pop-up.

Once the custom roles are created, you can add custom role in the Claim Issuance policy.

 

RFPIO Configuration

To make configurations from the RFPIO application, you can follow the steps below: 

  1. Login to https://app.rfpio.com and click Organization Settings.

mceclip47.png

  1. From the Organization Settings page, click SECURITY and then SSO.

Note:

  • If the SAML SSO feature not displayed, contact your account manager.
  • Multiple SSO can be created for a single client instance. If required, raise a support ticket. Once approved the team will enable it for the client.
  1. Enable the toggle switch near SSO and click Submit.

mceclip48.png   

  1. Click ADD NEW. The Add new SSO section will be displayed as shown below:

mceclip49.png  

  1. Enter the name as ADFS.
  2. Click CHOOSE FILE and upload federated metadata file.

Note: The federated metadata file can be downloaded from:

https://<server>/federationmetadata/2007-06/federationmetadata.xml

mceclip50.png  

  1. Click VALIDATE.
  2. Once validated, turn on the toggle switch associated with ADFS (Disabled).

mceclip51.png 

 

RFPIO - SAML Login

Users can Login to RFPIO using SAML in 2 ways.

Login Using Instance Specific URL

To login using instance specific URL, you can follow the steps below:

  1. Provide the Following URL in your browser: https://<server>/adfs/ls/IdpInitiatedSignOn.aspx
  2. Select the radio button as shown in the image below and select Continue to Sign In.

mceclip52.png  

  1. Provide username, password, and click Log In.

mceclip53.png  

You will be navigated to the RFPIO page as shown:

mceclip54.png 

Login to app.rfpio.com using SAML

To login to app.rfpio.com using SAML, you can follow the step below:

mceclip55.png

Provide your Email address and click Sign-in Using SAML.

mceclip56.png

Was this article helpful?
0 out of 0 found this helpful

Related articles

Top