Difference between revisions of "SSO Example Config Microsoft ADFS 2.0 for User Accounts"

From Hornbill
Jump to navigation Jump to search
Line 1: Line 1:
 +
<div style="border:1px solid #90C0FF; background:#D0E0FF; width:99%; padding:4px; margin-bottom:10px;">
 +
[[Main Page|Home]] > [[Integration]] > [[Essential Integrations]] > [[Single Sign On with SAML 2.0]] > SSO Example Config Microsoft ADFS 2.0
 +
</div>
 +
{|style="width: 100%"
 +
|- valign="top"
 +
|style="width:73%"|
 +
__TOC__
 +
|style="width:5%"|
 +
|
 +
|style="width:22%; border-style: solid; border-width: 1px; border-color:#e6e6e6; background-color:#f2f2f2;"|
 +
 +
== Related Articles ==
 +
:* [[Single Sign On with SAML 2.0]]
 +
:* [[Single_Sign_On_Profiles|Creating a Hornbill SSO Profile]]
 +
|}
 +
 
==== IMPORTANT NOTICE ====
 
==== IMPORTANT NOTICE ====
 
<font color="darkred">
 
<font color="darkred">
Line 4: Line 20:
 
</font>
 
</font>
  
While we make every effort to ensure this information is both accurate and useful to you, we want to remind you that we are not experts on vendor specific iDP implementations of SAML 2.0 and are therefor not always able to provide support or troubleshooting advice with customer specific Identity Provider or Federated Directory Services implementations.  We adhere strictly to the SAML 2.0:2005 standard and will talk in the language and terminology set out in that standard rather than any vendor-specific terminology which can in some cases be different and confusing if not properly understood.  We expect that any troubleshooting in relation to configuring Hornbill for SSO will be carried out jointly between Hornbill and your own in-house or contracted expert that understands both SAML 2.0 and your specific federated directory services provider you have deployed within your organisation will be available. It is not practical for Hornbill's technical staff to be experts in the multitude of iDP solutions or customer-specific deployments of the same that are in use.
+
While we make every effort to ensure this information is both accurate and useful to you, we want to remind you that we are not experts on vendor specific iDP implementations of SAML 2.0 and are therefore not always able to provide support or troubleshooting advice with customer specific Identity Provider or Federated Directory Services implementations.  We adhere strictly to the SAML 2.0:2005 standard and will talk in the language and terminology set out in that standard rather than any vendor-specific terminology which can in some cases be different and confusing if not properly understood.  We expect that any troubleshooting in relation to configuring Hornbill for SSO will be carried out jointly between Hornbill and your own in-house or contracted expert that understands both SAML 2.0 and your specific federated directory services provider you have deployed within your organisation will be available. It is not practical for Hornbill's technical staff to be experts in the multitude of iDP solutions or customer-specific deployments of the same that are in use.
  
 
==Hornbill Meta Data==
 
==Hornbill Meta Data==
Line 25: Line 41:
  
 
== Configuring Microsoft ADFS 2.0 to work as an iDP for Hornbill User Accounts ==
 
== Configuring Microsoft ADFS 2.0 to work as an iDP for Hornbill User Accounts ==
 
+
[[File:ssoProfiles6.png|400px|thumb|<div align="center">'''Example Claim Rule Configured for SSO only'''</div>]]
 
Connect to your ADFS server and open the ADFS Management Panel
 
Connect to your ADFS server and open the ADFS Management Panel
  
Line 46: Line 62:
  
  
[[File:ssoProfiles6.png|center]]
+
=== Auto Provisioning Additional Configuration (Optional)===
 
+
[[File:ssoProfiles7.png|400px|thumb|<div align="center">'''Example Claim Rule showing additional attributes for Auto-Provisioning'''</div>]]
== Auto Provisioning Setup ==
 
 
 
 
If you wish to use auto provisioning, aside from the Name ID above, you will need to specify additional claim rule mappings to send the user details from your ADFS server to Hornbill which will be used in account provisioning:
 
If you wish to use auto provisioning, aside from the Name ID above, you will need to specify additional claim rule mappings to send the user details from your ADFS server to Hornbill which will be used in account provisioning:
  
 
# In the ADFS Management Panel open Trust Relationships > Relying Party Trusts
 
# In the ADFS Management Panel open Trust Relationships > Relying Party Trusts
# Select the Service for you User Application
+
# Select the Service for your User Application
# Click Edit Claim Rules..
+
# Click 'Edit Claim Rules..'
# Click 'Edit Rule
+
# Click 'Edit Rule'
 
# Map your LDAP attributes to outgoing attributes (for simplicity, you should type the outgoing claim type in rather than selecting them from the drop down)
 
# Map your LDAP attributes to outgoing attributes (for simplicity, you should type the outgoing claim type in rather than selecting them from the drop down)
# It should look like this:
+
# An example claim rule complete with the additional attributes to be used during auto-provisioning is shown in the image on the right. The LDAP attributes shown are a typical example however you should check that your directory contains the information you would expect within those attributes i.e. check that "department" does actually contain the department name etc.
 
+
<br>
 
+
<br>
[[File:ssoProfiles7.png|center]]
+
<br>
 
+
<br>
 
+
<br>
== Configuring Single Sign-on in the Browser ==
+
<br>
 
+
<br>
=== Internet Explorer and Chrome ===
+
<br>
 
+
<br>
For the Microsoft Internet Explorer browser the following will need to be set, in order for "Authentication Pass Through" to function correctly.
+
<br>
# Tools > Internet Options
+
<br>
# Select the Security Tab
+
<br>
# Click on the "Local Intranet" zone icon, in order to highlight it, then use the "Sites" button.
+
<br>
# The default option of "Automatically detect intranet network" can be left as ticked.
+
<br>
# Click on the "Advanced" button.
+
<br>
# Use the Add button to add in the website value of: <federated services address> (for example: https://fs.hornbill.com)
+
<br>
 
+
<br>
'''NOTE:''' The option to "Require server verification (https:) for all sites in this zone" can remain un-ticked.
+
<br>
 
 
 
 
=== Firefox ===
 
 
 
For the Firefox browser the following will need to be set, in order for "Authentication Pass Through" to function correctly.
 
# Type about:config into the address bar
 
# Search for network.automatic-ntlm-auth.trusted-uris
 
# Add your federated services address, for example: 'fs.hornbill.com' to the value (if more than one value should be comma seperated)
 
 
 
 
==Next Steps==
 
==Next Steps==
  
 
* [[Single_Sign_On_Profiles|Configure a SSO Profile in Hornbill]]
 
* [[Single_Sign_On_Profiles|Configure a SSO Profile in Hornbill]]

Revision as of 14:21, 2 January 2018

Home > Integration > Essential Integrations > Single Sign On with SAML 2.0 > SSO Example Config Microsoft ADFS 2.0

Related Articles

IMPORTANT NOTICE

Information provided in this document is provided "as is" without warranty of any kind, either expressed or implied, including limitation warranties of merchantability or fitness for a particular purpose. Hornbill uses all reasonable efforts to include accurate and up-to-date information in this document; it does not, however, make any warranties or representations as to its accuracy or completeness. Hornbill will periodically add, change, improve, or update the information in this document without notice.

While we make every effort to ensure this information is both accurate and useful to you, we want to remind you that we are not experts on vendor specific iDP implementations of SAML 2.0 and are therefore not always able to provide support or troubleshooting advice with customer specific Identity Provider or Federated Directory Services implementations. We adhere strictly to the SAML 2.0:2005 standard and will talk in the language and terminology set out in that standard rather than any vendor-specific terminology which can in some cases be different and confusing if not properly understood. We expect that any troubleshooting in relation to configuring Hornbill for SSO will be carried out jointly between Hornbill and your own in-house or contracted expert that understands both SAML 2.0 and your specific federated directory services provider you have deployed within your organisation will be available. It is not practical for Hornbill's technical staff to be experts in the multitude of iDP solutions or customer-specific deployments of the same that are in use.

Hornbill Meta Data

Prior to embarking on your configuration of the necessary ADFS Relying Party Trusts as detailed below, it will be necessary to navigate to Hornbill Administration and obtain the Service Provider meta data that will be used during the configuration of your trusts. The Service Provider meta data file contains such things as the Service Provider Entity Id and Assertion Consumer Service (ACS) binding that your IdP needs to communicate during the authentication process.

Log into Hornbill Administration and navigate to Home > system > Security > SSO Profiles. Located towards the top right of the list are four buttons labelled "User", "Admin", "Service", and "Customer". Clicking one of these will download the Hornbill meta data file for the associated Service URL.

USER - contains information for https://live.hornbill.com/[your instance name]
ADMIN - contains information for https://admin.hornbill.com/[your instance name]
SERVICE - contains information for https://service.hornbill.com/[your instance name]
CUSTOMER - contains information for https://customer.hornbill.com/[your instance name]

Click the button to download the required meta data

What Meta data files do I need to download?

You will need to create a relying party trust in ADFS to represent each of the Hornbill URL's that will be used to access your Hornbill instance and you will need the corresponding meta data files to support the creation of the trusts.

  • "User" and "Admin" are always necessary. Therefore as a minimum you will have two relying party trusts which require the corresponding metadata.
  • "Service" and "Customer" represent the two portals that are available as part of the Hornbill solution. Whether you need to create a relying party trust to cater for each of these will be dependent on how you are using the Hornbill solution. The "Service" metadata file is required if you are implementing the Service Portal (This portal is used to deliver services to employees within your own organisation). The "Customer" metadata file is only required if you are setting up SSO for the Customer Portal (This portal is used to provide services to those outside of your organisation).

Configuring Microsoft ADFS 2.0 to work as an iDP for Hornbill User Accounts

Example Claim Rule Configured for SSO only

Connect to your ADFS server and open the ADFS Management Panel

  1. Open AD FS 2.0 > Trusted Relationships > Relying Party Trusts
  2. Click Add Relying Party Trust...
  3. Click Start
  4. Click Import data about the relying party from a file' and click the browse button
  5. Select the remote file you downloaded from the SSO Profiles page in Hornbill Administration
  6. Click Next
  7. Enter a Display Name and click Next
  8. Choose Permit all users to access this relying party and click Next
  9. Click Close
  10. Open the Edit Claim rules panel (click on Edit Claim Rules...) if it doesn't open automatically
  11. Click Add Rule
  12. Select Send LDAP Attributes as Claims
  13. Enter a rule name and select Active Directory as your attribute store
  14. You must set the name ID as this will be used by orion to identify the user
  15. You can add other attributes if necessary (see automatically registering with ADFS)
  16. Click Finish and OK to save


Auto Provisioning Additional Configuration (Optional)

Example Claim Rule showing additional attributes for Auto-Provisioning

If you wish to use auto provisioning, aside from the Name ID above, you will need to specify additional claim rule mappings to send the user details from your ADFS server to Hornbill which will be used in account provisioning:

  1. In the ADFS Management Panel open Trust Relationships > Relying Party Trusts
  2. Select the Service for your User Application
  3. Click 'Edit Claim Rules..'
  4. Click 'Edit Rule'
  5. Map your LDAP attributes to outgoing attributes (for simplicity, you should type the outgoing claim type in rather than selecting them from the drop down)
  6. An example claim rule complete with the additional attributes to be used during auto-provisioning is shown in the image on the right. The LDAP attributes shown are a typical example however you should check that your directory contains the information you would expect within those attributes i.e. check that "department" does actually contain the department name etc.



















Next Steps

Retrieved from "https://wiki.hornbill.com/index.php?title=SSO_Example_Config_Microsoft_ADFS_2.0_for_User_Accounts&oldid=16592"