How to configure Single Sign On with Microsoft AD Federation Services Identity Provider

Asset Vision supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IdP) rather than obtaining and using a separate username and password handled by Asset Vision.

Under the SSO setup, Asset Vision can work as a Service Provider (SP) through SAML 2.0 (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.

You will need an Active Directory Federation Services (AD FS) Identity Provider (IdP) which will handle the sign-in process and will eventually provide the authentication credentials of your users to Asset Vision. Asset Vision users authenticated through your ADFS IdP are handled from your IdP and any change they perform on their email are synced back to their Asset Vision account. The only user data that is necessary for Asset Vision is a unique identifier for each user and email. Asset Vision does not store passwords.

Step 1. ADFS Configuration

Consider that for the current procedure, your ADFS server is hosted in win.lab.com. (Do not forget to replace win.lab.com with your ADFS server actual domain name when following this procedure).

Open the ADFS Management

Open the ADFS Management through Start→Administrative Tools→AD FS Management.

Right-click on Service from the left tree-view and click on Edit Federation Service Properties.

Open the ADFS Management

Federation Service Properties

In the General Tab you can find the Federation Service Identifier, which is the Identity provider URL. You’ll need to fill this up in the Asset Vision Single-Sign-On (SSO) configuration page. For the current procedure the Identity provider URL is http://win.lab.com/adfs/services/trust. Check the rest values in General Tab and confirm that they match your DNS settings for your server.

Federation Service Properties

View Certificate

Click on the Certificates Entry from the left tree-view, right-click on Token-Signing certificate and then click on View Certificate

View Certificate

Certificate Export Wizard

In the Details Tab click on Copy to File and the Certificate Export Wizard launches. Click on Next, select Base-64 encoded X.509 (.CER), and then click Next. Choose where you want to save the certificate and click on Finish.

Certificate Export Wizard

Step 2. ADFS Relying Party Trust Configuration

At this step you are going to define the Asset Vision endpoints in your ADFS. You can do this manually or you can import the metadata XML provided by Asset Vision. You are advised to do the latter, as it is easier to implement.

Export Metadata

From the SSO Setup page, export The Metadata XML file by clicking the Export Metadata button.

Export Metadata

Add Relaying Party Trust

Select Relaying Party Trusts from the left tree-view under the Trust Relationships,right-click on the Relying Party Trusts and click on Add Relaying Party Trust. The wizard launches.

Add Relaying Party Trust
  1. Click on Start and Choose Import data about the relying party from a file. Click on Browse and locate the Metadata XML file of your Asset Vision domain.
  2. Click on Next, ignore the pop-up message and type a distinctive Display Name (eg. Asset Vision) and click Next.
  3. Select Permit all users to access the relying party and click Next to Finish.
  4. On the center Column right-click on the relying part you’ve just created (eg. Asset Vision ) and the select Properties.
  5. On the Advanced Tab select SHA-1 for the Secure hash algorithm and click on OK

Step 3. ADFS Claim Rules Configuration

In order to configure a proper communication between your ADFS and Asset Vision, you should define the Claim Rules

On the center Column right-click on the relying part you’ve just created (eg. Asset Vision ) and then select Edit Claim Rules.

  • On the Issuance Transform Rules tab click on Add Rules. The wizard launches.
  • In the Add Transform Claim Rule Wizard window, select Send LDAP Attribute as Claims and click on Next
  • Define the Claim rule name (eg. Get LDAP Attributes) and select Active Directory in Attribute Store:. In the Mapping of LDAP attributes to outgoing claim types: section, set the following:
    • LDAP Attribute: E-Mail-Addresses, Outgoing Claim Type: E-mail Address
    • LDAP Attribute: User-Principal-Name, Outgoing Claim Type: UPN
  • Click Finish
  • Add a second Rule following the same procedure. Select Transform an Incoming Claim and click on Next.
  • Define the Claim rule name: (eg. Email to Name ID) and set:
    • Incoming claim type: as UPN (the same one from the previous rule)
    • Outgoing claim type as Name ID
    • Outgoing name ID format as Unspecified.
  • Click Finish.

NOTE: The email should be defined in all users to achieve a proper communication between your ADFS and Asset Vision instance.

Step 4. Enabling SAML SSO in your Asset Vision domain

Login to Asset Vision as an admin and go to Admin >> Login Management. If enabled, you can click on Single Sign On link. If you do not see the Login Management tab, please contact your Scalable Software Account Representative or Scalable Technical Support at [email protected].

In this page you will need to enter information regarding your Identity Provider (ADFS). All the required information can be retrieved from the IdP’s Metadata XML that can be found in the following URL:

https://win.lab.com/FederationMetadata/2007-06/FederationMetadata.xml

Do not forget to replace win.lab.com with the domain name of your ADFS.

  • Default user role: Role to be used to assign to new user created during SSO login
  • Identity provider (IdP): type the Identity Provider's (IdP) URL. Eg. http://win.lab.com/adfs/services/trust
  • SAML Certificate:
    • Locate the certificate in PEM format extracted in Step 1
    • Open it with your favorite plain-text editor and copy the contents
    • Paste the contents into the text area.

The Certificate details will be computed when you click the Apply.

  • Remote Single Signon URL: fill-in the remote sign-in URL of your IdP. This is the URL where Asset Vision will redirect your users for signing-in.
    https://win.lab.com/adfs/ls/
  • Remote Single Logout URL: fill-in the remote sign-out URL of your IdP. This is the URL that Asset Vision will redirect your users when they sign-out.
    https://win.lab.com/adfs/ls/?wa=wsignout1.0

 

The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by your IdP, that is essential for Asset Vision.

Configuration Complete

You have now configured your Asset Vision domain to provide SSO services. Your users may login to your Asset Vision domain using the username and password stored in your ADFS Identity Provider.