This document describes the necessary steps to configure Single sign-on (SSO) based on Active Directory Federation Services (ADFS).
The instructions and screenshots in this article are based on ADFS 2.0 but are also applicable for ADFS 3.0.
Prerequisites
At the side of the customer the following needs to be installed:
- An ADFS Federation Server (with optionally a proxy server) with a public available Metadata URL like: https://<server>/FederationMetadata/2007-06/FederationMetadata.xml
- Configured Relying Trust Party (see below)
In the epowerhr application we should:
- Create a subdomain like customer.epowerhr.be;
- Configure the application to point the above Metadata URL
This last action allows the application to retrieve information like the thumbprint of the signing certificate.
Add a Relying Party Trust
Open ADFS 2.0 > Trust Relationships > Relying Party Trusts > click Add a Relying Party Trust which begins the Wizard.
Click start
Choose the first option on the next screen where you can fill in "https://login.epowerhr.be/adfs/<company>" as "Federation metadata address (hostname or URL)". Check with epowerhr which value that should be used for <company>.
This will automatically configure most of the Relying Party Trust for you.
Type in a name for the Relying Trust Party (by default it will sugest login.epowerhr.be) and click Next
Depending on the version of ADFS the wizard will now suggest to activate multi-factor authentication. You can continue by clicking Next (this is an option you can still activate later).
We will Permit all users to access this relying party, thus allowing all users of AD to also use epowerhr via SSO.
Press next.
Check the box to Open the Edit Claim Rules... and click Close to continue.
Upon completion we now will need to open the Claim Rules editor in order to build a mapping from AD attributes to epowerhr properties. Click “Add Rule”
Select Send LDAP Attributes as Claims and click Next.
Select “Active Directory” from the Attribute store and You should now have one required claim rule and should be ready to test the SSO configuration. Continue by pressing “OK”.
You should now have one required claim rule and should be ready to test the SSO configuration. Continue by pressing “OK”.
Note:
Under "General - Settings" you should also modify the application link, because this application link is used in the e-mail messages that the application generates that include an automatic generated link.
Application link: the default URL is set to https://app.epowerhr.be, but when the login authentication is set to ADFS or Office 365 then this should be modified to https://portal.epowerhr.be or to the company specific URL.
Related documents
Windows Server 2016 and 2012 R2 AD FS Deployment Guide