Creative Force

This article goes over how to set up Signal Sign On with AD FS. ​

This document is based on the Windows Server 2019 platform

- This document is based on the Windows Server 2019 platform
- AD FS does not support SCIM

Click to “Start” and search “AD FS” then select “AD FS Management”.

- Click to “Start” and search “AD FS” then select “AD FS Management”.

On the “AD FS Management” window, right click to “AD FS &gt; Relying Party Trusts” then select “Add Relying Party Trust Wizard”.

On the “Add Relying Party Trust Wizard” popup:

- Choose “Claims aware” then click “Start”.
- Choose “Enter data about the relying party manually” then click “Next”.
- Click “Next” until “Configure URL”.
 - Tick “Enable support for the SAML 2.0 WebSSO protocol”
 - Fill in the “Rely party SAML 2.0 SSO service URL” with the value “SP Assertion Consumer Service” 
 - Click “Next”.
- Fill in the “Relying party trust identifier” with the value “SP Entity ID”, click “Add” then “Next”.
- Choose an access control policy then click “Next” until the end.

- On the “AD FS Management” window, right click to “AD FS &gt; Relying Party Trusts” then select “Add Relying Party Trust Wizard”.
- On the “Add Relying Party Trust Wizard” popup:
 - Choose “Claims aware” then click “Start”.
 - Choose “Enter data about the relying party manually” then click “Next”.
 - Click “Next” until “Configure URL”.
 - Tick “Enable support for the SAML 2.0 WebSSO protocol”
 - Fill in the “Rely party SAML 2.0 SSO service URL” with the value “SP Assertion Consumer Service” 
 - Click “Next”.
 - Fill in the “Relying party trust identifier” with the value “SP Entity ID”, click “Add” then “Next”.
 - Choose an access control policy then click “Next” until the end.

On the “AD FS Management” window, select the Relying Party item that needs to be mapped attributes.

Click on “Edit Claim Issuance Policy…”

On the “Edit Claim Issuance Policy for &lt;Paty_Name&gt;” popup, click to “Add Rule”.

On the “Add Transform Claim Rule Wizard” popup:

- Select “Send LDAP Attributes as Claims” then click “Next”.
- Fill the “Claim rule name”.
- Select the Attribute store. (default “Active Directory”)
- Mapping attributes followed by the below table then click “Finish”.

Click on “Add Rule” again to add a new Transform Rule, On the “Add Transform Claim Rule Wizard” popup:

- Select “Transform an Incoming Claim” then click “Next”.
- Fill the “Claim rule name”.
- Select the Incoming claim type: “E-Mail Address”
- Select the Outgoing claim type: “Name ID”.
- Select the Outgoing name ID format: “Unspecified”.
- Choose “Pass through all claim values” then click “Finish”.

- On the “AD FS Management” window, select the Relying Party item that needs to be mapped attributes.
- Click on “Edit Claim Issuance Policy…”
- On the “Edit Claim Issuance Policy for &lt;Paty_Name&gt;” popup, click to “Add Rule”.
- On the “Add Transform Claim Rule Wizard” popup:
 - Select “Send LDAP Attributes as Claims” then click “Next”.
 - Fill the “Claim rule name”.
 - Select the Attribute store. (default “Active Directory”)
 - Mapping attributes followed by the below table then click “Finish”.
- Click on “Add Rule” again to add a new Transform Rule, On the “Add Transform Claim Rule Wizard” popup:
 - Select “Transform an Incoming Claim” then click “Next”.
 - Fill the “Claim rule name”.
 - Select the Incoming claim type: “E-Mail Address”
 - Select the Outgoing claim type: “Name ID”.
 - Select the Outgoing name ID format: “Unspecified”.
 - Choose “Pass through all claim values” then click “Finish”.

You can download the “Federation Metadata” file in the link: &lt;your-adfs-domain&gt;/FederationMetadata/2007-06/FederationMetadata.xml.

Important note: After changing any config ADFS, the Federation Metadata file will be changed. So, the user needs to update the Metadata file to SSO Config in Gamma or Federation Metadata public url to ensure the CF will use the latest Federation Metadata file.

- You can download the “Federation Metadata” file in the link: &lt;your-adfs-domain&gt;/FederationMetadata/2007-06/FederationMetadata.xml.
- Important note: After changing any config ADFS, the Federation Metadata file will be changed. So, the user needs to update the Metadata file to SSO Config in Gamma or Federation Metadata public url to ensure the CF will use the latest Federation Metadata file.

Open the “Active Directory Users and Computers”

- Start &gt; type “Active Directory Users and Computers” &gt; select the “Active Directory Users and Computers” application.

Select “ADFS” under the domain.

- Open the “Active Directory Users and Computers”
 - Start &gt; type “Active Directory Users and Computers” &gt; select the “Active Directory Users and Computers” application.
- Select the domain in the left menu.
- Select “ADFS” under the domain.

Select “New” &gt; “User” and type the user information.

Type the password and “Next” &gt; “Finish”.

Right click on the user and select “Properties” to set the user mail.

- Right click on the “ADFS”.
- Select “New” &gt; “User” and type the user information.
- Click “Next”.
- Type the password and “Next” &gt; “Finish”.
- Right click on the user and select “Properties” to set the user mail.

LDAP Attribute	Outgoing Claim Type
User-Principal-Name	Name ID
E-Mail-Addresses	E-Mail Address
Given-Name	Given Name
Surname	Surname

This article goes over how to set up Signal Sign On with AD FS.

Open “AD FS Management”

Config SSO

Mapping Attributes

Federation Metadata

Users Management

Create/Update User