Configure SAML-based SSO using Active Directory Federation Services (AD FS)

Configure SAML-based SSO using Active Directory Federation Services (AD FS)

Overview

Get started with simplified user logins by setting up single sign-on (SSO) with Active Directory Federation Services for your site. After you set up SSO, your users can sign in to the mobile app by using their AD credentials.

Add new Relying Party Trust

  1. Using the AD FS Management tool, select Trust Relationships > Relying Party Trusts.
  2. Select Add Relying Party Trust.
  3. On the Welcome screen, select Start.

  4. Select Data Source:
    1. Select Enter data about the relying party manually.
    2. Select Next.
  5. Specify Display Name:
    1. Enter a name.
    2. Select Next. (e.g. SchoolInfoApp SSO)
  6. Choose Profile:
    1. Select AD FS 2.0 profile.
      1. If you don't see it, select the one that supports SAML 2.0.
    2. Select Next.
  7. Configure Certificate:
    1. Select Next.
  8. Configure URL:
    1. Select the Enable support for the SAML 2.0 WebSSO protocol check box.
    2. Relying party SAML 2.0 SSO service URL: https://sia-sso.azurewebsites.net/Saml2/Acs
  9. Configure Identities:
    1. Relying party trust identifier: https://sia-sso.azurewebsites.net/Saml2
    2. Select Add.
    3. Select Next.
  10. Configure Multi-factor Authentication:
    1. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time.
    2. Select Next.
  11. Choose Issuance Authorization Rules:
    1. Select Permit all users to access this relying party.
    2. select Next.
  12. Ready to Add Trust
    1. Select Next.
  13. Select Close.

Add claim rules

  1. Using the AD FS Management tool, select Trust Relationships > Relying Party Trusts.
  2. Select the newly created Relying Party Trust.
  3. Select Edit Claims Rules.
  4. Select Add Rule.

  5. Choose Rule Type:
    1. Claim rule template: Send LDAP Attributes as Claims
    2. Select Next.
  6. Configure Claim Rule:
    1. Claim rule name: LDAP Attributes
    2. Attribute store: Active Directory
    3. Mapping of LDAP attributes to outgoing claim types:
      1. E-Mail-Addresses -> E-Mail Address
      2. Given-Name -> Given Name
      3. Surname -> Surname
      4. (Optional) Any attribute (e.g. Department, Job, etc...) -> Role
        1. If you have an attribute that stores the user's role, map it here.
        2. We will use its value to map users to different roles in our system.
    4. Select Finish.
  7. Select Add Rule again.
  8. Choose Rule Type:
    1. Claim rule template: Transform an Incoming Claim
    2. Select Next.
  9. Configure Claim Rule:
    1. Claim rule name: Transform Email
    2. Incoming claim type: E-Mail Address
    3. Outgoing claim type: Name ID
    4. Outgoing name ID format: Email
    5. Pass through all claim values
    6. Select Finish.
  10. Do not change the order of the rules. LDAP Attributes should always come before Transform Email.
  11. Select OK to finish creating rules.

(Optional) Send Group Membership as a claim

If you want to map users to different roles based on their membership, follow these steps.
  1. Using the AD FS Management tool, select Trust Relationships > Relying Party Trusts.
  2. Select the newly created Relying Party Trust.
  3. Select Edit Claims Rules.
  4. Select Add Rule.
  5. Choose Rule Type:
    1. Claim rule template: Send Group Membership as a Claim
    2. Select Next.
  6. Configure Claim Rule:
    1. Locate the group that you wish to map to the role by using the Browse button.

    2. Outgoing claim type: Role
    3. Outgoing claim value: something short that identifies the group (e.g. student, teacher, admin...)
      1. Note down the value, you have to send it to us later.
    4. Select Finish.

  7. Repeat these steps for each additional group you want to map.

Email us the setup information

Please send the Entity ID and Metadata URL to content@schoolinfoapp.com with subject "SSO - ADFS" along with the the desired default role and an optional role mapping. Please list the possible values which can be in the “Role” attribute and what role should it translate to in SchoolInfoApp’s system. The default role will be assigned to all users we are unable to map.

Example setup information:
  1. Entity ID: http://your_adfs_FQDN/adfs/services/trust (e.g.: http://adfs.schoolinfoapp.com/adfs/services/trust)
  2. Metadata URL: https://your_adfs_FQDN/FederationMetadata/2007-06/FederationMetadata.xml
  3. Default role: Other
  4. (Optional) Role mapping:
    1. your_role - Administrator
    2. student - Student
    3. teacher - Teacher

    • Related Articles

    • Configure SAML-based SSO using Azure Active Directory

      Overview Get started with simplified user logins by setting up single sign-on (SSO) with Azure Active Directory for your site. After you set up SSO, your users can sign in to the mobile app by using their Azure AD credentials. Create an application ...

    • Configure SAML-based SSO using Office 365

      Office 365 uses Azure Active Directory (Azure AD) as a user store so refer to Configure SAML-based SSO using Azure Active Directory. In the last step, you have to send us an email. In that email let us know, that you use Office 365.

    • Configure SAML-based SSO using Google Workspace (Formally G-Suite)

      Overview Get started with simplified user logins by setting up single sign-on (SSO) with Google Workspace for your site. After you set up SSO, your users can sign in to the mobile app by using their Google Workspace credentials. Set up a new SAML app ...

    • Configure SAML-based SSO for any identity provider

      Overview This article lists all information you need to add our service provider (SP) to your system and what we require to add your identity provider (IdP) to our system. About our service provider Metada location: ...

    • Directory Feature

      Objective To explain in detail how to use the Directory Feature including Adding a user to a desired folder, setting up a folder, and explaining over arching general settings that apply to the entire Directory as a whole Folder Settings Create a ...