BRYTER allows self-service SAML integration in the admin console. To ensure a correct set-up, we have put the following guide together to help your IT architecture team with the integration in ADFS.
Please note: This guide covers SAML 2.0 SSO setup using Windows Server 2012 R2 Standard (Windows Server 2008R2 is supported too, but requires additional setup), and AD FS 2.0 serves as the Identity Provider.
Configure Windows Server
- Open the AD FS Management Console, you will see the dashboard as follows:
- We will define a Relying Party Trust (RPT) which will serve as a connection between AD FS and BRYTER. Click on Add Relying Party Trust from the Actions sidebar on the right as shown in the above screenshot. This will open the Add Relying Party Trust Wizard where you need to perform certain steps to create your own RPT. Click on Start:
- Select a data source for your Windows Server. Choose Enter data about the relying party manually. This option will allow you to manually enter the details of the relying party organization.
Click on Next to proceed ahead.
- Enter a name for your relying party, for example, “ms-adfs-test.”
- To choose a profile, click on AD FS profile. This profile supports relying parties that are interoperable with SAML 2.0 protocol. Then, click on Next.
- You can skip the Configure Certificate step, as it is not required. Click on Next.
- In Configure URL, select Enable support for the SAML 2.0 WebSSO protocol, and enter the Assertion Consumer Service URL, https://singlesignon.bryter.io/realms/test . Finally, click on Next.
- Warning: Do not add a slash “/” at the end of identifier, otherwise, this integration will not work.
- In the Configure Identifiers section, enter the Entity Identifier URL (without a slash “/” at the end) https://singlesignon.bryter.io/realms/test, and click on Add.
After adding the Entity Identifier URL, click on Next.
- Click on the I do not want to configure multi-factor authentication settings for this relying party trust at this time radio button in the Configure Multi-factor Authentication Now? section, and click on Next.
- In the Choose Issuance Authorization Rules section, select Permit all users to access this relying party to allow all Active Directory users to log into BRYTER, and click on Next.
- The Ready to Add Trust section will display the configuration that you set. Don’t change any setting and click on Next.
- Finally, you have successfully configured the Relying Party Trust. Leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option checked to set up the Claim Rules.
- Click on Close to close the wizard.
- As soon as you have configured Windows Server, the Edit Claim Rules for app_name window opens up. Let us see how to set up claim rules in the next step.
Edit Claim Rules for your AD FS App
- In the Edit Claim Rules for ms-adfs-test window, click on the Add Rule button under the Issuance Transform Rules
- The Add Transform Claim Rule Wizard window opens where you need to select Send LDAP Attributes as Claims as the Claim rule template, and click Next.
- Enter a name for your Claim Rule, for example, “email,” then set Attribute store to Active Directory.
- Now we need to enter LDAP attributes. We will enter the LDAP attribute E-Mail-Addresses twice and set their outgoing types to E-Mail Address and email. Similarly, we will enter the LDAP attribute Given-Name twice and set their outgoing types to Given-Name and first_name, and enter the LDAP attribute Surname twice and set their outgoing types to Surname and last_name.
- Note: Every attribute has been entered twice in order to provide a user-specific claim type (i.e., email, first_name, and last_name).
- Click OK when you are done adding the required LDAP attributes.
- Warning: Make sure you select accurate options because the integration may not work if the variant you selected does not match.
- You need to add another Claim Rule. So, click on Add Rule on the Issuance Transform Rules tab, select Transform an Incoming Claim, and click on Next.
- Enter a Claim rule name, for example, Incoming-claim, set Incoming claim type to E-Mail Address, set Outgoing claim type to Name ID, and set Outgoing name ID format to Email.
- Select Pass through all claim values and click Finish.
- In the Edit Claim Rules window, click OK.
- Now, click on Service > Certificates; select your Token-signing certificate and click View Certificate… in the Actions
- Click the Details tab and click Copy to File… option.
This will open the Certificate Export Wizard Click Next.
- Select Base-64 encoded X.509 (.CER) as the format of your certificate, and click Next.
- Next, click on Browse and choose a location in your filesystem to save the certificate file. Click Next, and click Finish and OK if the certificate file was successfully exported.
- On your AD FS Server, click on Service > Endpoints, and locate the endpoint URL path for the SAML 2.0 specification.