Note: ADFS 2.0 on Windows Server 2008 r2 or ADFS 3.0 on Windows Server 2012 / 2012 r2)
SAML 2.0 single sign-on (SSO) supports integration with Microsoft Active Directory Federation Services (ADFS) 3.0.
Requirements
A fully installed and configured ADFS service.
A server running Microsoft Server 2008r2 or 2012/2012r2
An SSL certificate to sign your ADFS login page and the thumbprint of that certificate
In this example we are using ADFS 2.0 on Windows Server 2008 R2. On Windows Server 2012 the steps will be the same except for the installation, because you install AD FS role via the server manager, not via the installation package as on Windows 2008 server r2.
Step 1. AD FS Management
Login in to your AD FS server and launch the ADFS Management Console via the shortcut in Control Panel\Administrative Tools.
Step 2. Check AD FS settings
Right-click on Service and sel ect Edit Federation Service Properties...
Confirm that the General settings match your DNS entries and certificate names. Make a note with the Federation Service Identifier, since that is used in the iSpring Learn SAML 2.0 configuration settings.
Step 3. Token-Signing certificate
Browse to the certificates.
Right-click on the certificate and sel ect View Certificate.
Go to the Details tab.
Find the Thumbprint field and copy the contents of this field to the Windows clipboard.
Step 4. Learn Settings
Log in into your iSpring Learn account and go to the SSO settings via this link: https://YourAccоuntURL.ispringlearn.com/settings/sso
Ins ert your Thumbprint into the Certificate Fingerprint field and remove all spaces between characters.
Enter your data to the Metadata URL, Sign ON URL and Logout URL fields.
Step 5. ADFS Relying Party Configuration
Go to the ADFS Management console and select Relying Party Trusts, right-click on it and select Add Relying Party Trust…
Select Next On the Welcome Screen of the wizard, and on the Select Data Source step, select the last option: Enter data about the relying party manually.
On the next screen, enter a Display name that you will recognize in the future.
Next, select AD FS profile:
Leave the default values:
On the next screen, check the box labeled: Enable support for the SAML 2.0 WebSSO protocol. The service URL will be:https://YourAccоuntURL.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp
Click Next. Add Relying party trust identifier: https://YourAccоuntURL.ispringlearn.com/module.php/saml/sp/metadata.php/default-sp
Choose Permit all users to access this relying party.
On the next step, just click Next.
On the final screen, check the box Open the Edit Claim Rules dialogand use the Close button to exit.
Step 6. Creating Claims Rules
Add the first rule
Select Send LDAP Attributes as Claims
On the next screen, specify your Claim Rule, for Example E-mail to Learn, using Active Directory as your attribute store, and do the following:
Fr om the LDAP Attribute column, select E-Mail Addresses
Fr om the Outgoing Claim Type, enter “email”
Click on Finish or OK to save the new rule
After that, add the second rule and select Transform an Incoming Claim as the template
Give your Claim Rule a title, for example, Transform Account Name
Select Windows account name as the Incoming Claim Type
Under Outgoing Claim Type, select Name ID
Under Outgoing Name ID Format, select Transient Identifier
Leave the default rule Pass through all claim values
Finally, click on OK to create the claim rule, and then OK again to finish creating rules.
Step 7. Adjusting the Trust Settings
Some settings on your Relying Party Trust will need to be adjusted. To access these settings, select Properties from the Actions sidebar on the right while you have the Relying Party Trust selected.
Step 8. Logging
Go to your SSO login page: https://YourAccоuntURL.ispringlearn.com/sso/login and enter your credentials.
FAQs
Enable your Connection for at least one application.
- Go to Authentication > Enterprise > SAML.
- Select the connection that you want to test and click the ellipses (...) then click Try. The Microsoft Sign in screen will appear. Sign in and click Next.
To set up SAML, follow the steps below:
- Access your AD FS management console.
- Expand the Trust Relationships folder.
- Right-click Relying Party Trust and click Add Relying Party Trust…. ...
- Click Start on the wizard's Welcome screen.
- Choose Enter data about the relying party manually. ...
- Enter a display name, such as "KnowBe4".
To perform SSO with ADFS as Identity Provider, your application must be https enabled. Navigate to Server Manager Dashboard >Tools > ADFS Management. Navigate to ADFS > Application Groups. Right click on Application Groups & click on Add Application group then enter Application Name.
Is ADFS SAML 2.0 compliant? ›
AD FS server by default supports SAML 2.0 protocol and there are no additional requirements for it. Read More: Active Directory requirements for AD FS.
What are the steps in the SAML authentication process? ›
This is what a typical flow might look like: The principal makes a request of the service provider. The service provider then requests authentication from the identity provider. The identity provider sends a SAML assertion to the service provider, and the service provider can then send a response to the principal.
How to configure SSO in Active Directory? ›
Initial AD FS SSO Configuration
- Open Microsoft Server Manager and click the notification icon.
- Click the “Configure the federation service on this server” link.
- Select the “Create the first federation server in a federation server farm” option and click Next.
- Specify a domain admin account for AD FS configuration.
Implementation of SAML SSO follows 5 simple steps outlined in detail below.
- Step 1: Exchange of metadata information. ...
- Step 2: Identity provider configuration. ...
- Step 3: Enable SAML in Configuration. ...
- Step 4: Test the single sign-on connection. ...
- Step 5: Go live.
Azure Active Directory B2C (Azure AD B2C) supports federation with SAML 2.0 identity providers. This article shows you how to enable sign-in with a SAML identity provider user account, allowing users to sign in with their existing social or enterprise identities, such as ADFS and Salesforce.
What is the difference between SAML and LDAP Active Directory? ›
SAML acts as a communicator that sends assertion data between the SP and IdP to authenticate a user. LDAP, however, is considered an authority that actually does the validation.
How to configure adfs step-by-step? ›
Setting up the ADFS Server
- Go to Server Manager > Manage > Add Roles and Features. Select the Active Directory Federation Services role. ...
- Open the post-install configuration wizard for ADFS from the notification menu in Server Manager. Select Create the first server in a federation server farm.
Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system that extends end users' single sign-on (SSO) access to applications and systems outside the corporate firewall.
What is the difference between ADFS and Azure AD SSO? ›
AD FS is a Microsoft identity solution that provides single sign-on (SSO) access to multiple applications and resources. It is a great choice for businesses that have multiple applications and services and need to provide secure access to them. Azure AD is a cloud-based identity management service from Microsoft.
What is the difference between SSO and SAML Federation? ›
Is identity federation the same as SSO? No, identity federation is broader, involving the establishment of trust relationships between different identity providers, while SSO focuses on seamless access to multiple applications with one set of credentials. 4.
Is SAML 2.0 outdated? ›
SAML 2.0 was introduced in 2005 and remains the current version of the standard. The previous version, 1.1, is now largely deprecated.
How does SAML 2.0 works? ›
SAML 2.0 (Security Assertion Markup Language) is an open standard created to provide cross-domain single sign-on (SSO). In other words, it allows a user to authenticate in a system and gain access to another system by providing proof of their authentication.
How do I enable SAML authentication? ›
To configure SAML single sign-on from Authentication policies:
- Go to admin.atlassian.com. ...
- Select Security > Authentication policies.
- Select Edit for the policy you want to configure.
- When you select Use SAML single sign-on, we redirect you from the authentication policy to the SAML SSO configuration page.
AD FS uses a claims-based access control authorization model. This process involves authenticating users via cookies and Security Assertion Markup Language (SAML). That means AD FS is a type of Security Token Service, or STS. You can configure STS to have trust relationships that also accept OpenID accounts.
How to configure ADFS step by step? ›
Setting up the ADFS Server
- Go to Server Manager > Manage > Add Roles and Features. Select the Active Directory Federation Services role. ...
- Open the post-install configuration wizard for ADFS from the notification menu in Server Manager. Select Create the first server in a federation server farm.
You can generally find these logs on the ADFS server, using the Event Viewer application. Once logged into your ADFS server, you can find it under Control Panel > Administrative Tools > Event Viewer. If you do not see the Administrative Tools option, try switching the view to "Small Icons" instead.
