Configuring SSO with AD FS On-Prem or Azure Director Services

Have more questions? Submit a request

For companies with a high volume of users or who have extensive security requirements, Single Sign-On (SSO) can make managing users easier and more streamlined. GoCanvas allows you to connect to several SSO providers, including On-Prem and Azure Director Services. 

Adding On Prem AD FS and SAML

GoCanvas supports single sign-on (SSO) authentication through SAML 2.0. A SAML 2.0 identity provider (IdP) can take many forms, one of which is a self-hosted Active Directory Federation Services (AD FS) server. AD FS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.

Requirements

  • An Active Directory instance where all users have a uniquely specified username attribute.
  • An Active Directory instance where all users have an email address attribute.
  • A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.
  • A SSL certificate to sign your AD FS login page and the Signing Certificate for that certificate.
  • An installed certificate for hosted SSL.

After meeting these basic requirements, you must have AD FS installed on your server. Instructions for configuring and installing AD FS can be found here. (Instructions can also be found here.)

In your AD FS installation, please note the value for the 'SAML 2.0/W-Federation' URL in the AD FS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.

If you're already comfortable setting up and configuring AD FS, go ahead and skip ahead to Step 4: Configuring GoCanvas ID to work with AD FS.

Step 1: Adding a Relying Party Trust

At this point you should be ready to set up the AD FS connection with GoCanvas. The connection between AD FS and GoCanvas is defined using a Relying Party Trust (RPT).

Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.

  1. In the Select Data Source screen, select the last option, Enter Data About the Party Manually.Step1.png
  2. On the next screen, enter a Display Name that you'll recognize in the future, and any notes you want to make.Step2.png
  3. On the next screen, select the AD FS FS profile radio button.Step3.png
  4. On the next screen, leave the certificate settings at their defaults unless you would like to choose a certificate in which case you'll have to provide your public key later.Step4.png
  5. On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://www.gocanvas.com/saml/acs. Note that there's no trailing slash at the end of the URL.Step5.png
  6. On the next screen, add a Relying party trust identifier: https://www.gocanvas.com.Step6.png
  7. On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.
  8. On the next screen, select the Permit all users to access this relying party radio button.
  9. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.

Step 2: Creating Claim Rules

Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust.

  1. To create a new rule, select Add Rule. Create a Send LDAP Attributes as Claims rule.
  2. On the next screen, using Active Directory as your attribute store, do the following:
    1. From the LDAP Attribute column, select E-Mail Addresses.1.png
    2. From the Outgoing Claim Type, select E-Mail Address.2.png
  3. Select OK to save the new rule.
  4. Create another new rule by selecting Add Rule, this time selecting Transform an Incoming Claim as the template.
  5. On the next screen:
    1. Select [A unique, un-changing value] as the Incoming Claim Type.
    2. For Outgoing Claim Type, select Name ID.
    3. For Outgoing Name ID Format, select Email.
    4. By default, NameID attribute maps to NameID. This needs to be updated to Incoming Claim type – E-Mail Address as well.3.png
    5. Leave the rule to the default of Pass through all claim values.
    6. Finally, select OK to create the claim rule, and then OK again to finish creating rules.

Step 3: Adjusting the Trust Settings

You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected.

  1. For the Endpoint type, select SAML Logout.
  2. For the Binding, choose POST.
  3. For the Trusted URL, create a URL using:
    1. The web address of your AD FS server
    2. The AD FS SAML endpoint you noted earlier
    3. The string ?wa=wsignout1.0
  4. The URL should look something like this:
    https://sso.yourdomain.tld/ADFS/ls/?wa=wsignout1.0.
  5. Confirm you changes by selecting OK on the endpoint and the RPT properties. You should now have a working RPT for GoCanvas.

Step 4: Configuring GoCanvas ID to work with AD FS

The claim types that can be configured for use within GoCanvas relay are the following:

  • Email (required)

After setting up AD FS, you need to configure your GoCanvas instance to authenticate using SAML for Service provider.

SP (Service provider) Configuration: GoCanvas serves as the service provider in the SSO communication process and you would require Account Admin privileges to setup SSO configuration on your Account. For detailed steps, review SSO configuration help topics.

Step 5: Test the Integration

Test the integration by attempting to login to the application and confirm that the application recognizes your user and has the right attributes/claims associated.

You should now have a working AD FS SSO implementation for your GoCanvas instance.

Adding Azure Directory Services SAML

Step 1: Create an Enterprise Application under Azure Active Directory

  1. Select Manage,
  2. Enterprise Application,
  3. New Application,
  4. Select Non-gallery application
  5. Type in new application name (i.e. GoCanvas-SSO).

step1.png

Step 2: Select Single Sign-On Mode

Step2.png

Step 3: Configure Service Provider Setup Details with GoCanvas

Step 4: Generate SAML certificate and apply it to Enterprise Application

Step4.png

SP (Service provider) Configuration: GoCanvas serves as the service provider in the SSO communication process and you would require Account Admin privileges to setup SSO configuration on your Account. For detailed steps, review SSO configuration help topics

Step 5: Test the Integration

Test the integration by attempting to login to the application and confirm that the application recognizes your user and has the right attributes/claims associated.

You should now have a working AD FS SSO implementation for your GoCanvas Relay instance.

Did we answer your question?

Please let us know by voting below. All we ask is if you downvote, please let us know how the content can be improved in the comments!

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.