होम
होम

Authentication

Learn about your options for allowing users access to Workplace.

Overview

Active Directory Federation Services (ADFS) is a Windows Server component that allows organizations to use Single Sign-on (SSO) access with other applications. In this guide, we will detail the setup required within ADFS to successfully integrate your SSO with Workplace.

Configure ADFS for SSO with Workplace

Prerequisites

In order to configure ADFS for Workplace you need to meet the following prerequisites:

  • Your SSO system uses Windows Server version 2019 or 2016, Active Directory Domain Services (ADDS), and Active Directory Federation Services (ADFS) v4 or v5.
  • You have been assigned System Admin role in your Workplace instance.
  • Your Workplace admin user has the exact same email address as your corresponding Active Directory user. If the email addresses are not a case sensitive match, you will not be able to complete this procedure successfully.
?
These instructions are also applicable to the configuration of Windows Server version 2012 R2 or 2008 R2 with AD FS v2, but be aware there are some minor differences in the configuration flow. We recommend upgrading to more recent Window Server versions.

Gather the parameters needed to configure ADFS

Follow the steps below in Workplace to find the parameters you need to configure ADFS.

1
Go to the Admin Panel and navigate to the Security section.

2
Navigate to the Authentication tab.

3
Check the Single sign-on (SSO) checkbox.

4
Note down the values your Audience URL and Recipient URL, which you will need during the ADFS configuration step.

Create the Relying Party Trust in ADFS

Before ADFS will allow federated authentication (i.e., SSO) for an external system, you must set up a Relying Party Trust. This configuration identifies the external system along with the specific technology that is used for SSO. This procedure will create a Relying Party Trust that produces SAML 2.0 Assertions for Workplace.

1
Open the ADFS Management snap-in. Click on Relying Party Trusts and choose Add Relying Party Trust.

2
Choose the Claims aware radio button. Click Start.

3
Select Enter data about the relying party manually and click Next.

4
Set the DisplayName as Workplace. Click Next.

5
Click Next to skip the optional step of selecting a token signing certificate.

6
Click the checkbox Enable support for the SAML 2.0 WebSSO protocol. Enter your Workplace Recipient URL you have noted down into the text box Relying party SAML 2.0 SSO service URL and click Next.

7
Enter your Workplace Audience URL in the text box RelyingPartyTrust Identifier, click Add and then click Next.

8
Click Next to accept the default Access Control Policy.

9
Review your settings and click Next to add the Relying Party Trust.

10
Leave the checkbox selected to open the Edit Claim Rules dialog when the wizard closes and click Close.

Create the Claim Rules

After a user is authenticated, ADFS claim rules specify the data attributes (and those attributes’ format) that will be sent to Workplace in the SAML Response. Since Workplace requires a Name ID element that contains the user’s email address, this example shows a configuration with two rules:

  • The first rule extracts the user’s User Principal Name from Active Directory (i.e., the user’s Windows Account Name);
  • The second rule transforms the User Principal Name into a Name ID with Email format.

Prepare to create your claim rules

Setup ADFS to create the two claim rules to configure SSO for Workplace.

1
The window Edit Claim Rules for Workplace should open automatically. If not, you can edit claim rules from the ADFS Management snap-in by selecting the Workplace relying party trust and in the right-hand window choose Edit Claim Rules.

2
Within the Issuance Transform Rules tab, click Add Rule… to start a new rule.

Create the first rule

Create the first rule to retrieve email address field from Active Directory when the user is authenticated.

1
For the Claim Rule template, select Send LDAP Attributes as Claims and click Next to continue.

2
Set the Claim Rule Name to Get LDAP Attributes. Set the Attribute store to Active Directory. In the first row, set the LDAP Attribute to E-Mail-Addresses and set the Outgoing Claim Type to E-Mail Addresses.

3
Click Finish to add the rule.

Create the second rule

Create the second rule to map email address field to Name Id assertion in SAML response.

1
Click Create Rule… to start a second new rule.

2
For Claim Rule Template, select Transform an Incoming Claim and click Next to continue.

3
For Claim Rule Name, enter Transform Email Address. For Incoming Claim Type, select E-Mail Address. For Outgoing Claim Type, select NameID. For Outgoing name ID format, select Email. Finally, Accept the default radio button selection Pass through all claim values and Click Finish to add the rule.

4
Click Apply to enact the claim rules.

Gather ADFS parameters needed to configure Workplace

In order to complete the setup we need to retrieve some parameters that have to be configured in Workplace.

?
To finish this configuration and have ADFS produce a valid SAML Assertion, you must be able to authenticate to ADFS as the user that has the exact same email address as your Workplace admin (case sensitive).
1
Open the ADFS Management snap-in.

2
Navigate to ADFS > Service > Endpoints.

3
Confirm the URL of your ADFS metadata under the heading Metadata.

4
From a web browser, open your ADFS metadata file. This location will be something like: https://{your-fully-qualified-active-directory-domain}/FederationMetadata/2007-06/FederationMetadata.xml.

5
Make a note of your SAML Issuer URL, which is contained in the entityID attribute of the EntityDescriptor element.

6
You will also need to make a note of your SAML URL, which is contained in the Location attribute of the the AssertionConsumerService element that has Binding type set to urn::oasis::names::tc::SAML:2.0::bindings::HTTP-POST.

Convert your certificate into X.509 format

Once you've gone through your identity provider's setup:

1
From the AD FS management console, choose ADFS > Service > Certificates. Right click on your Token-signing certificate and click View Certificate….

2
Choose the Details tab and click the button Copy to File….

3
Click Next to start the wizard. Choose Base-64 encoded X.509 (.CER).

4
Choose a location on the file system to save the exported certificate file.

5
Click Finish to complete the export.

Complete Workplace SSO configuration

You will need your SAML URL, SAML Issuer URL and exported certificate file to complete SSO configuration in Workplace. Please follow the guide in the section Configure Workplace for SSO.