Table of Contents
1. What is ADFS?
ADFS is an authentication and authorization layer on Active Directory.
2. What makes ADFS unique?
Many corporations and partners have their directory services on-premise in Active Directory. For enabling Single Sign-on companies do not want to punch holes into their firewalls and allow external entities to make calls into AD. Active Directory Federation Services (ADFS) is a feature of the Windows server OS that extends the end user's single sign-on access to applications and systems outside the corporate firewall.
As organizations rely more and more on SaaS applications ADFS is an important tool that they can use.
3. How to configure ADFS?
The following steps will help you to configure your ADFS environment for enabling SSO for Right Hand Application.
a. Creating Relying on Party Trust
First, open the ADFS server manager and click on the Tools menu item.
Then click on AD FS Management. It will open a new window for you.
Then click on Add Relying Party Trust. A configuration window will be opened.
Proceed with the configuration by clicking Start.
Select The option highlighted in the screenshot below and click Next.
Enter the Display name and proceed.
Leave the next step as it is and click Next.
Enable the SAML 2.0 support Checkbox and Paste the SAML URL which you can get from Settings -> Integrations -> SAML 2.0 -> SSO Sign In URL in your Right Hand Portal and then hit Next.
Type the Relying party trust identifier in the Input field and Press Add button. It will appear in the Relying party trust identifier section.
Choose Permit everyone and click on Next.
Continue without making any changes.
Close the window.
b. Add Claim Issuance Policy rules
Now, you will see your Relying party trust in your ADFS management window. Click on it and go to Edit Claim Issuance Policy from the Actions section.
It will open a new Wizard. click on Add Rule in that window.
Select the following and press Next.
Fill in the Fields as follows and click on Finish.
Press the Add Rule button again.
Select the following and Proceed.
Fill in the values as follows and click on Finish.
c. Apply the rules
Now, click on Apply and OK button as below.
Now, go to Properties.
Go to Advanced tab and make sure that SHA-256 is selected as Secure hash algorithm. Now, click OK.
And then go to Identifiers Tab, Paste the SAML URL which we get from Settings -> Integrations -> SAML 2.0 -> SSO Sign In URL in Relying Party Identifier text box, and click on Add.
Click on Apply and Save.
You are good to go with your Relying party trust.
4. Steps to download XML file
https://<ADFSserver.example_domain.com>/FederationMetadata/2007-06/FederationMetadata.xml
ADFSserver.example_domain.com is the fully qualified domain name (FQDN) of your AD FS server
Download the XML using the above link.
5. Steps for ADFS Integration in RH using Manual Inputs
IdP SSO Entry Point
Example: <Address>ADFSserver.example_domain.com/adfs/ls/</Address>
Issuer
Example: entityID=“http://xyz/adfs/services/trust”
IdP Cert Fingerprint (.Pem File)
<X509Data><X509Certificate>…</X509Certificate></X509Data>
inside <ds:Signature ….> select the value that's inside these tags
OR
Certificate
Access your AD FS management console. and go to AD FS -> Service -> Certificates.
Double-click on the certificate under Token-signing
Now, it will open a small window. Go to the Details tab in that window and click on Copy to File button. It will open an export wizard. Proceed by clicking next. After that select Base-64 encoded X.509(.CER)format and Proceed. Browse the desired location to save the certificate file and click next. And finally, click Finish button.
Now, go to the location where you have saved the file and open the file in any text editor, and copy the certificate including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- text. Paste it in the Right Hand Portal by following the steps mentioned in the screenshot below.
6. Steps for ADFS Integration in RH using XML
Goto Settings → Integration → Add Integration.
Choose Select IdP as Active Directory Federation Services.
Provide a Valid IdP Integration Name.
Use the XML file to upload in the Upload XML Metadata field.
After successful upload, this will automatically fill the remaining 3 fields.
IdP SSO Entry Point
Issuer
IdP Cert Fingerprint (.Pem File)
Click on Save.
Newly added Integration will be listed in the Connectors list.
Now, your ADFS integration is complete.
Now, go to the URL which you added as your Entry Point by using the following format:
https://<company_ad_domain>/adfs/ls/idpinitiatedsignon.aspx?logintoRP=<your_relying_party_trust_identifier>
Enter the Email and Password of your AD user and proceed.
After Successful authentication, it will redirect to the Right Hand Dashboard.
7. How the authentication process should work in Right-Hand:
Email must be synced to the Right-Hand portal.
ADFS must be enabled and configured inside Right Hand Portal as mentioned in the guide above.
Relying party trust should be added inside ADFS (AD Server) as mentioned in the guide above.
Your employees will direct to your organization's ADFS URL.
The Right-Hand application will appear in the drop-down menu for your employees.
Important Note
If the employee is being added manually or due to some other reason the email field is empty for the entity in ADFS, the login will not happen after ADFS authentication.