This document describes how to configure Single Sign-on when Active Directory Federated System (ADFS) is your identity provider.
In this document, you’ll learn how to integrate Chakra with ADFS. When you integrate Chakra with ADFS, you can:
- Control in ADFS who has access to Chakra.
- Enable your users to be automatically signed-in to Chakra with their ADFS accounts.
- Manage your accounts in one central location - the ADFS portal.
To set-up and use ADFS and Chakra Single Sign-on (SSO) feature:
- An ADFS Server access.
- You need to have administrator access to your organization’s ADFS Server.
- You need to have administrator access on Chakra.
Actions to be done on Chakra
- Go to Admin → SSO & Authentication
- Add the ADFS provider from “Add Provider”
- Go to the ADFS Provider details page and copy the values for “SP ACS URL” and “SP Entity ID”. These values will be used in steps 8 & 9 below - “Actions to be performed on ADFS Server”
- Add the ADFS Sign-in URL and ADFS Sign-out URL
- ASFS Public X509 Certificate which you will get in the Step 8 of ADFS Certificate Thumbprint
Actions to be done on ADFS Server
Add Relying Party Trust
- Open the Server Manager
- Open the ADFS Management console (Tools > ADFS Management)
- Under the Actions pane, click Add Relying Party Trust
- You’ll now see the welcome page of the Add Relying Party Trust Wizard. Click Start.
- Select the “Enter data about relying party manually” radio button, then click Next.
- Enter a “Display Name” of your choice, then click Next
- Leave the certificate settings here as their defaults and just click Next
- Select “Enable support for the SAML 2.0 WebSSO protocol”
For “Relying party SAML2.0 SO service URL”, paste the value of “SP ACS URL” copied earlier. Click Next.
- For “Relying party trust identifier” paste the value of “SP Entity ID” copied earlier. Then click the “Add” button.
- Once you see the added entry in the list “Relying party trust identifiers:”, click Next
- Keep the default setting (Permit everyone) and click Next.
- The configurations are now complete. Click Next to continue.
- The relying party trust has now been added. Click Close to proceed to the Edit Claim Rules dialog.
- Click the Add Rule button.
- Click Next to create a Send LDAP Attributes as Claims rule.
- Enter a name for the claim rule, select the Attribute store as Active Directory (this is where the LDAP attributes will be extracted from), then map the LDAP attributes to the outgoing claim type as shown below. Click Finish when you’re done.
- Now click OK.
- Now navigate to ADFS Management>Relying Party Trusts, You can see all relying party trusts here. If required, you can edit claims by clicking Edit claim rules. You may also change identifiers by clicking Properties.
- Navigate to ADFS>Service>Endpoints, and ensure that the following endpoint is enabled /adfs/services/trust/13/usernamemixed
ADFS Certificate Thumbprint
- Navigate to ADFS > Service > Certificates.
- Right-click the certificate under Token-signing, then click View Certificate
- From the Certificate dialog, switch to the Details tab and click Copy to File
- From the Certificate Export Wizard that opens, click Next
- Select Base-64 encoded X.509 (.CER) for the format and click Next
- From File name, specify the path to where the exported certificate should save along with its filename and click Next
- Review the settings for the exported certificate and click Finish
- Open the exported certificated file and copy the certificate key