SAML Authentication in RFPIO
RFPIO uses the secure and widely adopted industry standard Security Assertion Markup Language 2.0 (SAML 2.0) and supports SAML Authentication as an add-on feature.
Our SSO implementation integrates easily with any large identity provider that supports SAML 2.0.
Configuration of RFPIO in AD FS
To configure RFPIO in AD FS, you must set up the AD FS connection with your RFPIO instance. The connection between AD FS and RFPIO is defined using a Relying Party Trust (RPT).
The steps involved in configuring RFPIO in AD FS are as follows:
1. Adding a Relying Party Trust
To add a relying party trust, you can follow the steps below:
- From AD FS section in the left navigation pane, Relying Party Trusts.
- From the Actions section in the left navigation bar, click Add Relying Party Trust…
Note: Alternatively, you can right-click Relying Party Trusts from the left navigation bar and select Add Relying Party Trust.
- In the Add Relying Party Trust Wizard – Welcome screen, select Claims Aware and click Start.
The Select Data Source screen will be displayed.
- Select Enter data about the relying party manually and click Next.
The Specify Display Name screen will be displayed.
- Enter a Display name- RFPIO that you will recognize in the future.
- Enter any required notes.
- Click Next. The Configure Certificate screen will be displayed.
- Click Next.
- The Configure URL screen will be displayed. Select the check-box Enable Support for the SAML 2.0 WebSSO protocol.
- In the Relying Party SAML 2.0 SSO service URL, enter https://app.rfpio.com/rfpserver/login/handle-saml-response/<DefaultRelayState>
Note: Replace Default Relay State with the Default Relay State value in RFPIO > Organization Settings > SECURITY > SSO.
- Click Next. The Configure Identifiers page will be displayed.
- In the Relying party trust identifiers field, enter https://www.rfpio.com and click Add.
The added value will be displayed as shown below:
- Click Next. The Choose Access Control Policy page will be displayed.
- Select Permit everyone and click
The Ready to Add Trust page will be displayed.
- Click Next.
- The Finish page will be displayed. Select the check-box associated with Configure claim issuance policy for this application.
- Click Close. The newly created relying party trusts will be displayed as shown below:
2. Creating Claim Issuance Policy
Once the relying party trust has been created, you can configure the claim issuance policy.
To create a new rule, you can follow the steps below:
- In the AD FS page, click on the newly created Relying Party Trusts, example: RFPIO.
- In the right navigation pane, RFPIO section will be displayed. Click on Edit Claim Issuance Policy.
- The Edit Claim Issuance Policy for RFPIO pop-up will be displayed. Click Add Rule.
- The Select Rule Template page will be displayed. Create a Send LDAP Attributes as Claims
- Click Next. The Configure Rule page will be displayed.
- From the Attribute store drop-down, select Active Directory.
- In the Mapping of LDAP attributes to outgoing claim types field, provide the following values:
LDAP Attribute (Select or Type to add more) |
Outgoing Claim Type (Select or Type to add more) |
Given-Name |
first_name |
Surname |
last_name |
State-Or-Province-Name |
location |
Telephone-Number |
phone |
Email-Address |
Name ID |
Title |
job_title |
- Click Finish once the values are added.
- The Edit Claim Issuance Policy for RFPIO page will be displayed. Click Apply and then OK.
3. SAML Assertion Consumer Endpoints
To add SAML assertion end points, you can follow the steps below:
- From the AD FS page, select the Relying Party Trust name, right-click and select Properties.
- The RFPIO Properties pop-up will be displayed. Select Endpoints.
- Click Add SAML.
- From the Binding drop-down options, select POST.
- Select the Index value as 1.
- In the Trusted URL field, enter: https://app.rfpio.com/rfpserver/login/handle-saml-response
Note: Ensure the Default value is Yes for the index 0.
7. Click Apply and then OK.
4. Adding Custom Role in the Claim Issuance Policy (Optional)
Prerequisite: A new LDAP attribute has to be created prior to mapping custom roles in the Claim Issuance policy.
To add a custom role in the Claim Insurance Policy, you can follow the steps below:
- From the AD FS page, click on the Relying Party Trust name and then click Edit Claim Issuance Policy from the right navigation pane.
- The Edit Claim Issuance Policy for RFPIO page will be displayed. Click Edit Rule.
- Add the below value in the fields:
LDAP Attribute (Select or Type to add more) |
Outgoing Claim Type (Select or Type to add more) |
rfpiorole |
role |
- Click OK.
- The Edit Claim Issuance Policy for RFPIO page will be displayed. Click Apply and then click OK.
5. Creating New Attribute (Optional)
Using this feature, you can create custom user roles.
Prerequisite: Users with administrator privilege can only perform these operations.
To create a new attribute, you can follow the steps below:
- Click
+ R in your keyboard.
- Type MMC and click
- The Console1 – [Console Root] pop-up will be displayed. Click File and select Add/Remove Snap-in.
- The Add or Remove Snap-ins pop-up will be displayed. Select Active Directory Schema from Available snap-ins section and click Add.
- Click OK.
- From the left navigation pane, click Active Directory Domains and Trusts > Attributes > right click and select Create Attribute.
- The Schema Object Creation pop-up will be displayed. Click Continue.
- The Create New Attribute pop-up will be displayed. Provide values as given below:
Common Name |
rfpio_user_role |
LDAP Display Name |
rfpio_user_role |
Unique X500 Object ID |
Steps to Generate Object ID is described from step 9. |
Syntax |
Unicode String (Select from the drop-down) |
Generating Object ID using VBScript (Microsoft Link)
- Open the following link in any web browser, copy the VB script code, and paste into Notepad.
http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06
- Save the notepad file as "OIDGen.vbs" (enclosed with double quotes, else it will be suffixed with .txt after .vbs) name on the C: drive.
- Open command prompt and run the following script:
Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs
- Copy the OID string (dot separated numeric string) and paste into Unique X500 Object ID field.
- Click OK.
- Click Classes from the left navigation pane.
- Select User, right-click and select Properties.
- The user Properties pop-up will be displayed. Click Attributes and click Add.
- The Select Schema Object pop-up will be displayed. Select the newly created attribute and click OK.
- The selected option will be displayed in User Properties - Optional Click Apply and then OK.
- Open Active Directory Users and Computers.
- By default, Users will be selected. Click ADFS User, right-click and select Properties.
Note: Only Administrators can make these changes.
- The ADFS User Properties pop-up will be displayed. Click Attribute Editor and scroll down to the rfpiorole.
- Select rfpiorole and click Edit.
- Specify the role as Manager and click OK.
- The value will be updated in the Attributes section. Click Apply and then OK.
- Close the Active Directory Users and Computers pop-up.
Once the custom roles are created, you can add custom role in the Claim Issuance policy.
RFPIO Configuration
To make configurations from the RFPIO application, you can follow the steps below:
- Login to https://app.rfpio.com and click Organization Settings.
- From the Organization Settings page, click SECURITY and then SSO.
Note:
- If the SAML SSO feature not displayed, contact your account manager.
- Multiple SSO can be created for a single client instance. If required, raise a support ticket. Once approved the team will enable it for the client.
- Enable the toggle switch near SSO and click Submit.
- Click ADD NEW. The Add new SSO section will be displayed as shown below:
- Enter the name as ADFS.
- Click CHOOSE FILE and upload federated metadata file.
Note: The federated metadata file can be downloaded from:
https://<server>/federationmetadata/2007-06/federationmetadata.xml
- Click VALIDATE.
- Once validated, turn on the toggle switch associated with ADFS (Disabled).
RFPIO - SAML Login
Users can Login to RFPIO using SAML in 2 ways.
Login Using Instance Specific URL
To login using instance specific URL, you can follow the steps below:
- Provide the Following URL in your browser: https://<server>/adfs/ls/IdpInitiatedSignOn.aspx
- Select the radio button as shown in the image below and select Continue to Sign In.
- Provide username, password, and click Log In.
You will be navigated to the RFPIO page as shown:
Login to app.rfpio.com using SAML
To login to app.rfpio.com using SAML, you can follow the step below:
Provide your Email address and click Sign-in Using SAML.