Context
ADFS stands for Active Directory Federation Services. It is a software component developed by Microsoft that provides users with single sign-on (SSO) access to systems and applications across organizational boundaries. ADFS allows organizations to share access to applications with external partners, without sharing passwords or duplicating identities.
Here's how ADFS works:
- Authentication and Authorization: ADFS uses a claims-based access control system to authenticate users based on a set of claims about the user, such as their username, email address, or group membership.
- Federation: It enables secure sharing of identity information between trusted partners (known as federated partners) over the internet or other networks.
- Single Sign-On (SSO): With AD FS, users can log in once and gain access to multiple applications without needing to log in again.
AD FS is commonly used in enterprise environments to facilitate secure and streamlined access to cloud and on-premises applications while integrating with other identity providers.
This article will overview the AD FS configuration necessary to integrate with Checkbox for SAML (SSO).
ADFS Configuration
Create a Relying Party Trust
1. On your ADFS server, expand AD FS. Right-click on Relying Party Trusts, then select Add Relying Party Trust:
2. Select Claims Aware and press Start.
3. Select Enter data about the relying party manually. Click Next.
4. Enter a Display Name (for example: "Checkbox 8"). Click Next.
5. Click Next on the "Configure Certificate" screen without choosing any certificates.
6. Check Enable support for the SAML 2.0 WebSSO protocol. Enter the full URL to Checkbox 8 Assertion Consumer Service (details below).
Checkbox Online (SaaS) Version
https://{api-host}/v1/{account-name}/saml/assertion-consumer-service
{account-name}: The name of the account you use on the Login page.
{api-host}: Depends on the region for your account--
- US: api.checkbox.com
- CA: api.checkbox.ca
- EU: api.ckbxeu.com
- AU: api.checkboxau.com
Checkbox On-Premises Version
https://{api-host}/v1/saml/assertion-consumer-service
{api-host}: The hostname you configured during installation.
7. Enter an identifier and click Add. This can be any text (for example: "Checkbox8"). You'll set this value as the Issuer on your Checkbox 8 "SAML Settings" page.
8. Choose your desired access control policy. This specifies who ADFS will grant access to.
9. Click Next until you reach the "Finish" screen.
Configure the Claim Issuance Policy
1. Right-click your new Relying Party Trust and select Edit Claim Issuance Policy.
2. Select Send LDAP Attributes as Claims.
3. Configure the following required attribute: E-Mail-Addresses
4. Add a second claim rule and select Transform an Incoming Claim.
5. Choose the desired incoming claim type for the attribute you want to use as Name ID, for E-Mail Address.
Note: This depends on your AD configuration. Claim (https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) should match with UniqueIdentifier in the Checkbox 8 application. By default, Checkbox8 uses Email as UniqueIdentifier.
6. Choose Name ID as the Outgoing claim type.
7. For the Outgoing name ID format, choose Email
8. Make sure that the new rule is the second one in the list. The rule order matters.
Additional Configuration
1. On the ADFS management window, right-click on Relying Party for Checkbox 8 and choose Properties. Under the "Advanced" tab, set the Secure hash Algorithm to SHA-256.
Properties of AD FS Configuration for Checkbox
1. Issuer (see section "Create a Relying Party Trust" point 7.
2. Metadata URL (for example, https://ec2-3-XXXXX-109.compute-1.amazonaws.com/FederationMetadata/2007-06/FederationMetadata.xml)
Hostname
Path
3. Signature algorithm (see section "Additional Configuration" point 1)
Reach Out for Help
If you face any issues, please create a Support Ticket and we'd be happy to help!
0 Comments