(Version 7.9.9+, Enterprise+SSO)

The following steps can be used to setup an configure SAML SSO, with AD FS. Other providers can be used with SAML SSO as well, see the related links below.

Related:

 

Initial AD FS Setup:

Use the reference link below to set up an AD FS environment:

Requirements:

An environment with 2 machines:

  • A server acting as:
    • Domain Controller (DC), Directory Name Service (DNS), and Active Directory Federation Services (AD FS) server
  • A server acting as:
    • the Service Provider (or Relying Party)
    • with Pleasant Password Server installed

Overview - Installing AD FS

  • Create a Group Managed Service Account (GMSA) for use by AD FS
  • Create and install a certificate (3rd-Party / Self-Signed) for AD FS to use
  • Install the AD FS server role
  • Configure AD FS with the certificate and GMSA previously created
  • Add DNS records

Part 1 - Enable SAML in Password Server

Activate External Authentication:

  1. Go to the configuration page:
    • Users & Roles > Authentication Services
  2. Click Add SAML Configuration
  3. Provide an Issuer Name value
    • This value identifies your Pleasant Password Server application to the Identity Provider (AD FS)
    • The exact value doesn't matter, but will be needed during step 2
  4. (optional) Provide a certificate for digitally signing SAML requests and responses
    • Single Log Out (SLO) on AD FS requires that the requests be signed
    • See the addendum sections below for instructions on creating and configuring a signing certificate
    • This certificate can be a self-signed certificate for AD FS
  5. Save the configuration
  6. Another screen will show the SAML Configuration values:
    • Save the values for Issuer Name, Assertion Consumer Service URL, and Single Log Out Service URL
    • If using a certificate for signing you will also need to export the public key
    • If the URLs are directed to localhost, but this is not the URL you intend to use then you should sign in via that URL first

Part 2 - Configure AD FS

  1. Open Administrative Tools
  2. Open AD FS Management
  3. Select Trust Relationships > Relying Party Trusts
    • AD FS refers to the application as a Relying Party, which is synonymous with Service Provider
  4. In the actions pane, select Add Relying Party Trust...
  5. In Welcome click Start
  6. In Select Data Source
    • Select Enter data about my relying party manually
    • Click Next
  7. In Specify Display Name
    • Enter a name for the application like Pleasant Password Server
    • Click Next
  8. In Choose Profile
    • Select AD FS Profile (first option)
    • Click Next
  9. In Configure Certificate
    • (optional) Select the public key from a certificate to be used to encrypt the SAML claims
    • This can be a self-signed certificate, and may be the same certificate that will be used for verifying signatures
    • Click Next
  10. In Configure URL
    • Check **Enable support for the SAML 2.0 WebSSO protocol
    • Enter the Assertion Consumer Service URL you noted earlier
    • Click Next
  11. In Configure Identifiers
    • Enter the Issuer Name value you noted earlier
    • Click Add
    • Click Next
  12. In Configure Multi-factor Authentication Now?
  13. In Choose Issuance Authorization Rules
    • Select Permit all users to access this relying party
    • Specific access rules can be added later, if desired
    • Click Next
  14. In Ready to Add Trust click Next
    • This page just provides a summary of the configuration for your review
  15. In Finish
    • Ensure that Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is checked
    • Click Close
  16. In the _Issuance Transform Rules* tab
    • Click Add Rule...
    • Select Send LDAP Attributes as Claims and click Next
    • Enter Account Name as the Claim rule name
    • Select Active Directory as the Attribute store
    • Select SAM-Account-Name as the LDAP Attribute
    • Select Name ID as the Outgoing Claim Type
    • Click Finish to close the wizard
    • Click OK to close the Edit Claim Rules dialog
  17. (optional) Configure Single Log Out (SLO)
    • Double-click your relying party trust to open the properties dialog
    • Select the Signature tab
    • Click Add and select the public key certificate that you exported for signing in Part 1
    • Select the Endpoints tab
    • Click Add SAML...
    • Select SAML Logout for Endpoint type
    • Select POST for Binding
    • Enter the value of Single Log Out Service URL noted above for Trusted URL and Response URL
    • Click OK to add the endpoint
    • Click OK to close the properties dialog

Part 3 - Configure Password Server to Connect to AD FS

  1. Go to the Authentication Services configuration page
  2. Click Add SAML Partner Configuration
  3. Enter the following value in Name (Note: that this is 'http' NOT 'https')
    • Replace adfs.yourdomain.com with the fully qualified domain name of the AD FS server:
      • http://adfs.yourdomain.com/adfs/services/trust
        • Notes:
          • This is 'http' NOT 'https'
          • This is just a name value which will be compared, not actually a URL used for communication.
          • If the values do not match, the server logs will show a Key not found error.
  4. Enter a value for Friendly Name
    • This will appear in on the Sign-In page
  5. Leave the Sign On Action configuration as-is
  6. Select the Single Sign On tab
  7. Enter the following value in Service URL
    • Replace adfs.yourdomain.com with the fully qualified domain name of the AD FS server:
      • https://adfs.yourdomain.com/adfs/ls
  8. Select Post as the Binding Method
  9. (optional) Select Sign Authentication Request if you have configured a signing certificate during Part 1
  10. (optional) If you configured a certificate for encryption during the AD FS setup then you must configure the Assertion Decryption Certificate
    • This must be same certificate with the private key
    • See addendum sections below for configuring a certificate
  11. _(optional) Select the Single Log Out
    • You must have followed the optional steps in parts 1 and 2 to configure Single Log Out
    • Enter the same value for Service URL as you did for Single Sign On
    • Leave Service Response URL blank
    • Select Post as the Binding Method
    • Check both Sign Log Out Request and Sign Log Out Response
  12. Click Save

Part 4 - Signing In

  • Users imported from the same Active Directory that AD FS is using will automatically be able to sign-in via AD FS
  • Users MUST be manually imported OR manually sign-in to Password Server if auto-import is enabled before AD FS sign-in is possible
  • If not importing users, the username must match the value of the SAM Account Name that AD FS is using
  • Users may still sign-in locally instead of using AD FS
  • If Single Log Out was configured, then signing out of Password Server will also sign the user out of AD FS (and other AD FS sessions)
  • To sign in or out of Password Server and other applications configured to use AD FS, use this page:
Tag page
You must login to post a comment.