ADFS

From Planfix
Jump to: navigation, search

Integration with Active Directory Federation Service (ADFS) allows your company's employees to sign in to Planfix using a single password SSO. This simplifies authorization, increases security, and makes account administration easier.

Configuring Single Sign-On (SSO)

Steps in Planfix

  • Go to Account management — Integrations — Single Sign-On.
  • Enable the integration with Active Directory Federation Service (ADFS).

After that, proceed to configure your ADFS server.

Steps in ADFS

Creating a Relying Party Trust

  1. In the ADFS Management, go to Trust Relationships — Relying Party Trusts and click Add Relying Party Trust…
  2. On the first screen, choose Claims aware — Next.
  3. On the Select Data Source step, choose Enter data about the relying party manually — Next.
  4. Specify a Display name, for example: Planfix.
  5. Click Next → Next.
  6. Check Enable support for the SAML 2.0 Web SSO protocol.
  7. In the Relying party SAML 2.0 SSO service URL field, enter the URL from the integration settings in Planfix 
    https://{account_planfix_url}/saml2/login/sso/adfs
  8. Click Next.
  9. On the Configure Identifiers step, click Add and enter the Identifier (Entity ID) from Planfix 
    https://{account_planfix_url}/saml2/service-provider-metadata/adfs
  10. Click Next → Close.

Configuring claim issuance rules

  • Select the created Relying Party Trust, then in the right pane, click Edit Claim Issuance Policy.
  • Click Add Rule…

Sending LDAP attributes

  • Select Send LDAP Attributes as Claims
  • Click Next and specify the following:
LDAP Attribute Outgoing Claim Type
Display-Name Name
Given-Name Given Name
Surname Surname
User-Principal-Name Email Address
  • Click Finish.

Formatting the Name ID as Email

  1. Click Add Rule…
  2. Select the template Transform an Incoming Claim
  3. Fill in the fields:
    1. Name: Format NameID as Email
    2. Incoming claim type: UPN
    3. Outgoing claim type: Name ID
    4. Outgoing Name ID format: Email
    5. Pass through all claim values: enabled (✓)
  4. Click Finish.

Important

Do not create an additional Send LDAP Attributes as Claims rule for the Name ID — only the Transform an Incoming Claim rule ensures that the <NameID Format="…"> will use the emailAddress format.

Final step

  • Return to Planfix and in the ADFS integration settings fill in the Metadata URI field: 
    https://<adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml
  • Save the changes.


Go To