Follow

SSO with Active Directory Federation Services (ADFS)

 

Overview

SSO will allow you to use your existing Active Directory userbase as user management for your Jostle® intranet.  In other words, Jostle will not create usernames and passwords for you in the application, but instead when your users access Jostle, Jostle will pass back the authentication request to your AD domain.  This is done through an AD add-on called Active Directory Federation Services (ADFS).

The main benefits are:

  • You get to manage only one set of user credentials across your organization via AD.
  • Once you log into one SSO application your authentication stays valid for the others.

It does not inherently:

  • Allow password-less logins.

 Steps to get ADFS/SSO up and running

1. Set up a public-facing domain name for the ADFS server

Communication between Jostle and ADFS occurs over HTTPS, therefore you will need a domain or sub domain to use for your ADFS server, with a published DNS record (ie Internet routable).  We should be able to resolve the address from our office (usually loads the default IIS server page).  Access can be restricted to the HTTPS default port (443), but for testing purposes ICMP and port 80 should be allowed through as well.

2. A certificate from a well-known certificate authority

The domain used in step 1 needs to be secured via SSL.  It is best to use any SSL provider that is by default part of most browsers trusted certificate authority list.  Here are a few companies that are by default included:

  1. http://www.digicert.com/
  2. http://www.verisign.com

3. General ADFS set up

If you are going to use ADFS, you have to install and configure ADFS 2.0. The installation and configuration is specific to your environment including configuration related to your Active Directory, the details of which are beyond the scope of this article.  As part of this set up, you will have to get an SSL certificate (if you don’t already have one that you plan to use) since ADFS will act as the identity provider and the protocol will be using HTTPS.  Once you have done the general installation and set up, you can use the instructions below to integrate with Jostle.

How to install ADFS

http://technet.microsoft.com/en-us/evalcenter/ee476597.aspx

Please note: We have found that Windows Updates KB2843638 and KB2843639, "Security Update for Windows Server 2008" will always cause problems with ADFS properly authenticating users.  Please remove & disable (right click, "Hide") this within Windows Update to prevent interference.

External versus Internal access

Jostle and ADFS communicate over HTTPS, but all the user authentication occurs between your users and ADFS.  This gives you the option of controlling whether you allow users to authenticate from outside your network or not.  This is controlled through ADFS, and requires no changes on Jostle's side.

3a) Configuring ADFS for Jostle: Configuring the relying party (Deploy certificates)

  1. Save the Jostle public key certificate below (everything including ---- BEGIN CERTIFCATE ---- and ---- END CERTIFICATE ----) into a file called jostle.cer somewhere in the filesystem 
  2. Start ADFS 2.0 Management application 
  3. In the Actions menu, select “Add Relying Party Trust” which will bring up the “Add Relying Party Trust Wizard” 
  4. Click ‘Start’ 
  5. Select “Enter data about the relying party manual” and hit ‘Next’ 
  6. Enter “Jostle” in Display name and hit ‘Next’ 
  7. Select ‘ADFS 2.0 Profile’ and hit ‘Next’ 
  8. In the Configure Certificate step, hit ‘Browse’ and choose jostle.cer, then hit ‘Next’ 
  9. In the Configure URL step, select ‘Enable support for the SAML 2.0 WebSSO Protocol’ and enter the following into the ‘Relying party SAML 2.0 SSO service URL': https://login-prod.jostle.us/saml/SSO/alias/newjostle.us
  10. In the Configure Identifiers step, in the ‘Relying party trust identifier’ field enter: https://jostle.us  And then hit ‘Add’ and then ‘Next’
  11. In the Choose Issuance Authorization Rules step, choose ‘Permit all users to access this relying party’ and the hit ‘Next’ 
  12. In the Ready to Add Trust step, hit ‘Next’ 
  13. In the Finish step, check the ‘Open the Edit Claim Rules dialog for this relying party when this wizard closes’ and hit ‘Close’ 
  14. When the Edit Claims Rules dialog comes up, select ‘Issuance Transform Rules’ tab and hit ‘Add Rule’ 
  15. In Choose Rule Type step, under Claim rule template select ‘Send LDAP attributes as Claims’ and hit ‘Next’ 
  16. In the Configure Claim Rule step, create a mapping as follows:
    • Claim rule name: Email Addresses As Email
    • Attribute Store: Active Directory
    • Mapping of LDAP attribute to outgoing claim types: E-Mail-Addresses to E-Mail Address
  17. Create another new rule by clicking 'Add Rule', under Claim rule template select ‘Transform an Incoming Claim’ and hit ‘Next’. 
  18. In the Configure Claim Rule step, create a mapping as follows:
    • Claim rule name: Email Address as Name ID
    • Incoming claim type: E-Mail Address
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Email
    • Select 'Pass through all claim values' 
    • Note: this rule should be Order 2 and the previous rule is Order 1
  19. In the ADFS 2.0 Management application, open the AD FS 2.0 folder, then open Trust Relationship folder, then select Relying Part Trust’ and then double click on ‘Jostle’ in the Relying Party Trusts list. 
  20. Select Signature tab and then hit ‘Add’, then select ‘jostle.cer’ and then hit ‘Open’, the ‘Apply’ and ‘OK” 
  21. Select Advanced tab and change the secure hash algorithm to SHA-256.
  22. You can optionally setup Single Sign Out. Right click Jostle under the list of Relying Party Trusts and go to Properties. Under the Endpoints tab, click Add SAML, set the Endpoint type to SAML Logout. Binding should be set to Post and the fill in the Trusted URL as follows: https://login-prod.jostle.us/saml/SingleLogout/alias/newjostle.us  Hit 'OK' then 'Apply'.

Public Key

-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIECbNOhTANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJD
QTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEbMBkGA1UEChMSSm9z
dGxlIENvcnBvcmF0aW9uMRswGQYDVQQLExJKb3N0bGUgQ29ycG9yYXRpb24xEjAQ
BgNVBAMTCWpvc3RsZS51czAeFw0xNTAzMTExNzA5MjRaFw0yNTAzMDgxNzA5MjRa
MHwxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJCQzESMBAGA1UEBxMJVmFuY291dmVy
MRswGQYDVQQKExJKb3N0bGUgQ29ycG9yYXRpb24xGzAZBgNVBAsTEkpvc3RsZSBD
b3Jwb3JhdGlvbjESMBAGA1UEAxMJam9zdGxlLnVzMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArfy3La92VclqzMdMtNq4bhnz36cahnFIkgqm21dp0SIC
cHy6DiQR3XiGiT7jNRsmdpS7eBUz6ZMK5aBFVgBLvNg61331WdlEw6Mx97ZDO3Vi
zxjZLeQUQbkTxPCu6bKBBUVug1rq4Yfp3o8vBufsGP0RhOonsY4mgxOUD/qhubhv
wjbXmO09oz0VSTNN+S4irYhOcV2kmlJgLEzUR7UopxygLlT3/Z3+sKjoGLTXTxqP
3jQ5Qw2EY6FlaMrqSXD+f9hruymlj+Ga6vd986XKL3WT1BwuwMlqijPdrO7xcnnQ
5YnCqP10OHBQd43LSP066WsF52tbmMsepVuxnMthAwIDAQABoyEwHzAdBgNVHQ4E
FgQUJtXdhEelyPpugiOZ/pP6yLtNtkIwDQYJKoZIhvcNAQELBQADggEBAFrZtlpC
uM9upH8efncXRCVz+sv0dL4Vu48GhuwcUqy5FCDedChkmFvrBUpcu1BRel92eBif
VWtALEM2J5XrnrJlvrkxZ9tU2V+tR6NOlmFg7bO245I0g5y9Bu8cHT1tupwy25E/
AZRu3wQGLdvDgJaXeWICEx1wfl+l5Dx1KQ7mjlsL2lRZIMbPd547bQmcnkOC7MJu
MQS0QwpodNNGauQcNfxrRkkBmbZ9sqaPCyXn87In2FeqBfOfEnzyCwdMpTafxUa1
GFZA5f8v+MyCJt4osvGdoMMQqeLmaPlX/1EvvWM4NiYU3E0ObmNc3IYKoPyrLOfm
o9rsl1Kfb1ublsA=
-----END CERTIFICATE-----

 

 

3b) Set the NotBeforeSkew to allow for time drift between your server and ours:

Open Windows PowerShell via the Start Menu, and run these commands:

ADFS 2.0

1) Add-PSSnapin Microsoft.Adfs.PowerShell

#Load up the ADFS PowerShell plug in
2) Get-ADFSRelyingPartyTrust –identifier “https://jostle.us”

#Just to see what the values were
3) Set-ADFSRelyingPartyTrust –TargetIdentifier “https://jostle.us” –NotBeforeSkew 2

#Set the skew to 2 minutes

 

ADFS 3.0

1) Get-ADFSRelyingPartyTrust –identifier “https://jostle.us”

#Just to see what the values were
2) Set-ADFSRelyingPartyTrust –TargetIdentifier “https://jostle.us” –NotBeforeSkew 2

#Set the skew to 2 minutes

 

We have found that this is almost always necessary to ensure reliable user authentications. 

Note that if you are using a subdomain, the identifier will be "https://<subdomain>.jostle.us"

 

3c) Configure Forms-based Authentication

ADFS 2.0

We've found that forms-based authentication (as opposed to ADFS' default of Windows-integrated authentication) supports a wider range of client browsers and operating systems, so we strongly encourage you to use this.  To make that switch:

Open "c:\inetpub\adfs\ls\web.config"

change:
<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />

to:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />

ADFS 3.0
 
With ADFS 3.0 you can enable both Windows Authentication and Forms Based Authentication at the same time. To do this within the ADFS Management Console, select the Authentication Policies folder in the left panel -> Action -> Edit Global Primary Authentication.
 
Check both Forms Authentication and Windows Authentication under Intranet, and click OK.
 
4. Send us your XML Metadata
 
At this point, Jostle has been set up as relying party.  Now your organization needs to be set up as an identity provider in Jostle.  To do this,  please go to this URL: https://<your ADFS URL>/FederationMetadata/2007-06/FederationMetadata.xml and send the results back to Jostle.  Please, use our File Transfer method.
 ** It is important to get this data 1 week prior to when you want to start using SSO.
 

5. Convert Jostle password users to SSO

As you likely already have a few users who are using Jostle passwords, see our guide for converting those accounts to SSO authenticated.

Was this article helpful?
5 out of 5 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.