Setup SSO Using ADFS with SAML

OnsiteSupport supports single sign-on using SAML 2.0  with an identity provider to be the ADFS server. It's provided by Microsoft with the ability to use active directory credentials to authenticate in OnsiteSupport.

In order to be able to use ADFS, you would need to meet the following requirements:

  • Active Directory with email attribute as it used as a basic connector to OnsiteSupport accounts;
  • Microsoft Server 2008 or 2012;
  • SSL for the domain where OnsiteSupport is installed or for a custom domain in cloud version on our server;
  • SSL certificate for ADFS login page signature and fingerprint.

Authentication Policies

We support only "Form-Based Authentication". Make sure to set up this option in primary authentication.


Setup Relying Party Trust

At first, you need to set up an ADFS connection with the OnsiteSupport environment. Start Adding Relying Party Trust Wizard from ADFS Management and follow below instructions:

  1. Data Source -  select "Enter Data About the Party Manually";
  2. Specify Display Name - add any name as identification of the party trust. For example, OnsiteSupport Connection;
  3. Choose Profile - select AD FS profile;
  4. Configure Certificate - leave options by default;
  5. Configure URL - check "Enable Support for the SAML 2.0 WebSSO protocol". The service URL will be https://subdomain.OnsiteSupport.com/saml/metadata, replacing subdomain with your OnsiteSupport subdomain or the whole domain that you have;
  6. Configure Identifiers - add OnsiteSupport.com This is the only possible value entered here;
  7. Multi-Factor Authentication - don't configure it or if you have specific instructions, apply them here;
  8. Authorization Rules - select the option to permit all users to access relying party;
  9. Finish - review and complete by proceeding to set up claim rules.

Create Claim Rules

You would require at least 2 rules to set up for the system to work correctly. Custom rules are outside of this documentation and can be discussed on an individual basis. To add basic rules, follow below instructions:

  • Add New Rule and select "Send LDAP Attributes as Claims rule";
  • Configure Claim Rule - select "Active Directory" under "Attribute store";

In order to map the LDAP attributes with claim types, please follow the screen instructions below.

Create another new rule and select "Transform an Incoming Claim as the template". Then select enter and choose the options as shown on the screen and click Ok.

Update Trust Settings

Relying party trust needs some changes as they were not included in the initial setup wizard. To access these settings, select the name of relying party trust that you've entered on the wizard stage and under Properties choose Actions sidebar.

  • Advanced tab - select SHA-256  as the secure hash algorithm. SHA1 shouldn't be selected as it's no longer supported by modern browsers and considered to be insecure;
  • Endpoints - add SAML as endpoint and select SAML Logout; Choose Post for the Binding;
  • Trusted URL -  create a URL using the web address of your ADFS server + The ADFS SAML endpoint you noted earlier + The string '?wa=wsignout1.0'. The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0. 

Save changes and you should have working replying trust for OnsiteSupport.

OnsiteSupport Configuration

Go to Administration » Applications and enable Single Sign-On. Then click Settings and select the SAML method.

You would need to enter at least 3 settings to complete setup ADFS connection on OnsiteSupport side.

At first, get the fingerprint by running command in windows command line with the installed certificate:

C:\> Get-AdfsCertificate

Search for thumbprint of the Token-Signing type certificate. Example: e0:64:71:6a:f5:55:9f:0e:24:e9:3a:fd:82:f5:a2:39:98:cd:9e:c1

Add External Login and Logout URLs.

Finally, your OnsiteSupport SAML settings page should look like this with custom options that you are required to fill out.

Is this article helpful?
1 0 0