Page tree
Skip to end of metadata
Go to start of metadata

ADFS SAML Integration

This topic will enable you to set up Active Directory Federation Services (ADFS 2.0 and 3.0) with  Agiloft SAML single sign-on. 

Prerequisites

  • Administrator-level login credentials for Agiloft and the Windows server hosting ADFS.
  • Obtain the configuration details from ADFS. These are typically provided in an XML file, commonly known as IdP SAML Metadata XML. Download the XML file from your ADFS server. Typically, for ADFS the IdP metadata can be downloaded from  https://[ADFS SERVER]/FederationMetadata/2007-06/FederationMetadata.xml.
  • If the ADFS server does not provide the configuration via XML file, you must obtain the following details from the Identity Provider:
    • IdP Entity
    • IdP Login
    • IdP Logout URL
    • IdP X.509 certificate
  • Note down the SAML Attribute names containing user groups and teams if you will create users in Agiloft during login events.

When you configure SAML SSO in Agiloft, you will have the option to create users in Agiloft when they first log in. If you choose this option, you'll also need to select which default groups and teams the user is assigned to, or map them from SAML attributes. You'll need the exact names of the SAML attributes containing the user's groups, teams, and Primary Team.

In Agiloft

Note: the  Agiloft-side instructions in this topic are simplified; for more detailed steps see SAML 2.0 SSO.

  1. Navigate to Setup > Access.
  2. Select Configure SAML 2.0 Single Sign-On.
  3. On the General tab:
    1. Select Enable SAML SSO.
    2. Select Create SAML IdP Authenticated user in Agiloft, if auto-provisioning users is desired. If the option is not selected, only existing users of  Agiloft can login via SAML SSO. 
    3. Select the last checkbox only if you want to synchronize the user attributes in  Agiloft with those in the IdP every time a user logs in. If you leave this deselected, the user's attributes will be synchronized only when the user is first created. 
    4. Select Employees in the drop-down to add users to the Table/Subtable shown below.
  4. Select the Service Provider Details tab.
  5. Enter the Keystore file path, Java KeyStore Password, and Alias.
    Note: If you do not already have this information and you are a hosted customer, contact  Agiloft support. If you are an on-premise customer, please see Generate a Keystore File.
  6. Select the Identity Provider Details tab and complete the fields from the configuration details you should have obtained from the IdP above in the matching fields, including:
    1. SAML Metadata XML contents obtained from your IdP
    2. IdP Entity ID/Issuer 
    3. IdP Login URL
    4. IdP Logout URL
    5. IdP Provided X.509 certificate contents
    Note: There is an option on the Identity Provider Details tab to close the SAML Configuration wizard without entering the IdP details in this tab. If you select this, press Finish and come back later to complete the above steps once you have the necessary details. 
  7. Click Finish. 
  8. Select Download SAML 2.0 Service Provider Metadata and save it where it is easily accessible. You will need to upload this file into the IdP in a later step.

In ADFS

Follow these steps to integrate ADFS 2.0 or 3.0:

  1. In your Windows Server instance, open the ADFS Management Console
  2. Select the Relying Party Trusts folder and add a new Standard Relying Party Trust from the Actions sidebar.
    1. In the Select Data Source screen, select the second option and upload the Agiloft SP Metadata XML file.
    2. On the next screen, enter a Display name - for example, SKS-Agiloft SAML.
    3. On the next screen, select the ADFS profile radio button.
    4. On the next screen, choose whether to configure multi-factor authentication.
    5. On the next screen, select 'Permit all users to access this relying party.'
    6. On the next two screens, the wizard will display an overview of your settings. 
    7. On the final screen click Close to exit and open the Claim Rules editor.
  3. Once the relying party trust has been created, create the claim rules and update the Relying Party Trust (RPT) with minor changes that aren't set by the wizard. By default the Claim Rule editor opens once the trust has been created. 
  4. To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
  5. On the next screen, using Active Directory as your attribute store, do the following:
    1. In the LDAP Attribute column, select E-mail Addresses.
    2. In the Outgoing Claim Type, select E-mail Address.
    3. Click OK to save the new rule.
  6. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template. 
  7. On the next screen:
    1. Select E-mail Address as the Incoming Claim Type.
    2. For Outgoing Claim Type, select Name ID.
    3. For Outgoing Name ID Format, select Email.
    4. You need to modify the signing algorithm on your relying party trust. Select Properties from the Actions sidebar while you have the RPT selected. 
    5. In the Advanced tab, switch from SHA-256 to SHA-1.
  8. Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust.
  9. Confirm the changes by clicking OK on the endpoint and the RPT properties.

At this point, ADFS is fully configured. 

Log In to Agiloft with ADFS

Once ADFS integration has been properly configured, users can log in to  Agiloft by authenticating with the ADFS server. 

  1. Point your browser to: https://{server}/gui2/samlssologin.jsp?project={kbName}, where {server} is the IP Address or FQDN of the server hosting the Agiloft instance and kbName is replaced by the name of your knowledgebase. 

  2. This URL forwards the login assertion to the IdP. You will be directed to the ADFS server login page. 

  3. If the user does not exist in the ADFS server, they will automatically be provisioned once ADFS authenticates the user successfully if you selected Create SAML IdP Authenticated user in  Agiloft during the setup.
  4. If you are already logged in and authenticated, you will be forwarded directly to the Agiloft interface.