1. Help Center
  2. ++ SSO and User Provisioning

Implementing Single Sign On with ADFS

STEP 1 - Adding SRXP as a Relying Party Trust

  1. Open ADFS’s management console. On the directory tree located on the left hand side of the screen, select ADFS > Trust relationships > Relying Party Trusts.

  2. On the right hand side of the screen, in the Actions section, click Add Relying Party Trust.

    1.-2

  3. Once the ‘Add Relying Party Trust Wizard’ is open. Click on Start > Select ‘Enter data about the relying party manually’ and click Next > Specify a Display name of your choice (e.g. srxp) and click Next again.

    4.
  4. Choose AD FS profile and click Next. Skip ‘Configure Certificate’.

    5.
  5. Select Enable support for the SAML 2.0 Web SSO protocol and enter the following URL: https://portal.srxp.com/api/auth/{your_slug}/process/acs.

    Note: The slug (of your choice) will be your company’s identifier on the ACS URL. Its maximum length is 20 characters and should not contain spaces or any other special characters " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~".

    7.
  6. Add the following Relying party trust identifier: https://portal.srxp.com/api/auth/{your_slug}/process/metadata, as shown on the screenshot below. Make sure to use the same slug or company identifier.

    Click Add and proceed to Choose issuance authorization rules, skipping Multi-factor authentication.

    8.
  7. Configure the issuance authorization rules and press Next.

    11.
  8. Review the new configuration and press Next. Finish and proceed to edit the claim rules by marking the check box as shown in the image below.

    14.

STEP 2 - Create the claims

  1. Right click the trust created for SRXP again, and select Edit Claims.
  2. In the new window, open the Issuance Transform Rules tab and click Add Rule > Send LDAP Attributes as Claims.
    15.
  3. Enter a Claim rule name (e.g. SRXP SAML Attributes), set Attribute store to Active Directory and click Next. 
  4. Make sure to map the LDAP attributes to the Outgoing Claim Types listed below (the mapping shown below is a minimum requirement)
    1. Given_Name → FirstName
    2. Surname → LastName
    3. E-Mail-Addresses → Email
    4. User-Principal-Name → Email

      16.
    5. Click Finish and then click OK to confirm the claims.

STEP 3 - Set-up SSO on your SRXP environment

  1. Hover over the Admin /Settings icon located on the right hand-side of the top menu > click Company information > expand the section 'Connections' > click on Single Sign On.

  2. Provide the same slug used during the ADFS SAML set-up > Select ADFS as the System IDP and upload you Federation Metadata XML.

    Note: You can obtain your Federation Metadata XML using the following URL (https://{your_federation_instance}/federationmetadata/2007-06/federationmetadata.xml.

    SRXP_SSO_1-2
  3. After uploading your Federation Metadata, the information contained in the XML file will be parsed, automatically filling the Entity URL, SSO Login URL, SSO Logout URL, Signing and Encryption.
  4. Set Mandatory SSO Login as True if you would like to force your users to login using your  System Identity Provider Only and Save.

STEP 4 - Test the Single Sign On

Test the SAML connection by logging both via:

  • Your ADFS environment.
  • The following URL: https://portal.srxp.com/?pidp=your_slug.

Please make sure that the test user has an Active SRXP account.

 

If, for some reason, the authentication would fail, read the following post explaining How to troubleshoot the SAML conneection between ADFS and SRXP.