Set up an ADFS SAML connectionLast Updated: February 07, 2020
1 Add a Relying Party Trust
See Create a relying party trust for complete details.
- Launch your instance of ADFS and start the Add Relying Party Trust wizard.
- On the Welcome page, choose Claims aware and click Start.
- On the Select Data Source page, select Enter data about the relying party manually and click Next.
- On the Specify Display Name page, set the following value for your relying party (
urn:auth0:onemedia-consulting:YOUR_CONNECTION_NAME) and a brief description under Notes. Be sure to replace YOUR_CONNECTION_NAME with a the connection name provided by OneInsight Support. Click Next.
- Go to the Configure Certificate page and upload the certificate that can be downloaded here, click Next.
- On the Configure URL page, check the box for Enable support for the SAML 2.0 WebSSO protocol. The wizard then asks for a Relying party SAML 2.0 SSO service URL. Provide the following URL: https://onemedia-consulting.eu.auth0.com/login/callback?connection=YOUR_CONNECTION_NAME. Click Next.
- On the Configure Identifiers page, indicate that the Relying party trust identifier is
urn:auth0:onemedia-consulting:YOUR_CONNECTION_NAME. Click Next.
- On the Choose Access Control Policy page, select Permit everyone and click Next.
- Review the settings you provided on the Ready to Add Trust page and click Next to save your information. If you were successful, you'll see a message indicating that on the Finish page.
- Make sure that the Configure claims issuance policy for this application checkbox is selected, and click Close.
2 Edit the Claim Issuance Policy
After you close the Add Relying Party Trust wizard, the Edit Claim Issuance Policy window appears.
- Click Add Rule... to launch the wizard.
- Select Send LDAP Attributes as Claims for your Claim rule template, and click Next.
- Provide a value for the Claim rule name, such as "LDAP Attributes" (it can be anything you want).
- Choose Active Directory as your Attribute Store.
- Map your LDAP attributes to the following outgoing claim types (OIDC Standard):
- Click Finish.
- In the Edit Claim Issuance Policy window, click Apply. You can now exit out of this window.
3 Export the Signing Certificate
Finally, you'll need to export the signing certificate from the ADFS console.
- Using the left-hand navigation pane, go to ADFS > Service > Certificates. Select the Token-signing certificate, and right click to select View Certificate.
- On the Details tab, click Copy to File.... This launches the Certificate Export Wizard. Click Next.
- Choose Base-64 encoded X.509 (.CER) as the format you'd like to use. Click Next.
- Provide the location to where you want the certificate exported. Click Next.
Verify that the settings for your certificate are correct and click Finish.
4 Set up the connection in OneInsight
After creating the relying party trust in ADFS, you can finalize the set up by creating a new SAML connection in OneInsight. This task can be performed using OneInsight's admin interface or via OneInsight Support. Enter the following information:
- X.509 Signing Certificate: Signing certificate (encoded in PEM or CER) from earlier in this process.
- Sign In URL: SAML single login URL.
- Sign Out URL (optional): SAML single logout URL.
- Email Domains: These will be used to check for SSO connections at https://app.oneinsight.io/login (service provider initiated flow). The email domains that you can set in the admin interface is limited to the email domain of the currently logged in user. If you need additional email domains please contact support.