Single Sign on with ADFS v2

Single Sign on with ADFS v2 / Any SAML v2 based identity provider

EduBrite supports integration with any external identity provider using the SAML v2 mechanism. This article specifically uses the Active Directory as an example, but the integration works with any other IDP as well. Contact EduBrite support if you have any questions.

Active directory federation server provides a SAML v2 based single sign on mechanism. To integrate any EduBrite microsite, you would need to enable SP (service provider) initiated single sign on in ADFS, which acts as an IDP (identity provider).

 

Step by Step instructions

Step 1. Service provider is added in ADFS by adding a new relaying party trust. Start the add relaying party wizard

 

Step 2.There are multiple ways to add the relaying party, select the manual option

Step 3. Give a name to this relaying party

Step 4. Select the profile type as ADFS 2.0 (You must be using ADFS 2.0 for integration with LMS, ADFS 1.0 is not supported)

Step 5. Skip past the configure certificate screen, we are not going to add any certificate here

Step 6.Now configure the URL to which ADFS will return after successfully authenticaticating the user. This URL would be specific to your microsite, and must always be https. If you are using white labeled domain for your microsite (which is not ending with edubrite.com) then you must have https enabled for your microsite. For edubrite.com domains, https is always enabled. The url must be https://<microsite url>/oltpublish/site/samlLoginResponse.do

Step 7. Assign an identifier to this relaying party. The identifier would be specific to microsite url, and it would always be https://<microsite url>. Enter it and click Add button to add to the identifiers list

 

Step 8. Allow all users to access to use this relaying party

 

Step 9. Continue and finish the wizard.

Step 10. Continue and add a rule which would select the specific attribute from the Active directory and return in the response to the relaying party (SP).

Step 11. Select the rule type as "Send LDAP attributes as claims"

Step 12.Enter the rule name (anything you like), select the attribute store "Active Directory" and add a new row by selecting User-Principal-Name as the ldap attribute and Name Id as the outgoing claim type.

In the above screen, you can also add additional rows to send First name, Last name and Email attributes. If additional fields are passed, they will be used while creating a new user record (in case of auto provisioning).

To send user's groups to LMS in saml response, configure the mapping and mention the attribute names as "groups". An example saml assertion is mentioned below. If the corresponding groups exists in EduBrite (with matching group code) then user will be added to these groups provided that Auto Provisioning is ON site admin->site details->integration (in EduBrite).

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe@acme.com</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">app.group1</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">app.group2</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

Step 13. Go back to the ADFS 2.0 management tool and click on Service->Certificates. We want to export the certificate which ADFS will use for token signing, and configure it in the microsite so lms can decrypt the saml response. Here you can also configure you specific token signing certificate (ADFS generates a default certificate if you don't use your specific one). Select the primary certificate and click on Copy to file

Step 14. Continue with certificate export wizard, choose base64 encoded export format, and save it to a file

 

 

Step 15. Open the cer file in notepad and copy the content which is within BEGIN CERTIFICATE and END CERTIFICATE lines

Step 16. Create a new data source in your microsite from Site Admin->CMS->Create Data Source. Give the name of the data source as SAML_IDP_CERT.cer and in the content, paste the content you copied from the cer file above. Save and publish the changes to the data source.

Step 17. Copy the SAML 2.0 endpoint url from ADFS. The url would be https://<<adfs host>>/adfs/ls/ (notice the ending slash)

Step 18. Specify this url in microsites custom properties by adding a new property from Site Admin->Site Details->Customization. The name of this property is SAML_IDP_URL.

Step 19. Enable SAML from the Site Admin->Site Details->Security

Step 20. Go ahead and try to sign with a test account. Click on Signin using SSO link on the login page, the browser should get redirected to ADFS and once you authenticate, it would come back to the microsite. If the user is an existing user, login would get done. Otherwise, if you have enabled Auto Create User by API from (Site Admin->Site Details->Integration) it would get created.


Rating: