Overview
SSO will allow you to use your existing Active Directory userbase as user management for your Jostle platform. In other words, Jostle will not create usernames and passwords for you in the application, but instead when your users access Jostle, Jostle will pass back the authentication request to your AD domain. This is done through an AD add-on called Active Directory Federation Services (ADFS).
The main benefits are:
- You get to manage only one set of user credentials across your organization via AD.
- Once you log into one SSO application your authentication stays valid for the others.
It does not inherently:
- Allow password-less logins.
Steps to get ADFS/SSO up and running
- Set up a public-facing domain name for the ADFS server
- Purchase an SSL certificate for the ADFS domain
- Install ADFS on your AD server, or domain controller
- Send us the XML meta data **
- Convert existing users from Jostle password to SSO
- TIP: Using SSO with the Jostle mobile app (iOS)
** It is important to get this data 1 week prior to when you want to start using SSO. This will allow us enough time to deploy your data, and test.
1. Set up a public-facing domain name for the ADFS server
Communication between Jostle and ADFS occurs over HTTPS, therefore you will need a domain or sub domain to use for your ADFS server, with a published DNS record (ie Internet routable). We should be able to resolve the address from our office (usually loads the default IIS server page). Access can be restricted to the HTTPS default port (443), but for testing purposes ICMP and port 80 should be allowed through as well.
2. A certificate from a well-known certificate authority
The domain used in step 1 needs to be secured via SSL. It is best to use any SSL provider that is by default part of most browsers trusted certificate authority list. Here are a few companies that are by default included:
3. General ADFS set up
If you are going to use ADFS, you have to install and configure ADFS 2.0. The installation and configuration is specific to your environment including configuration related to your Active Directory, the details of which are beyond the scope of this article. As part of this set up, you will have to get an SSL certificate (if you don’t already have one that you plan to use) since ADFS will act as the identity provider and the protocol will be using HTTPS. Once you have done the general installation and set up, you can use the instructions below to integrate with Jostle.
How to install ADFS
Install the ADFS 2.0 Software (Microsoft)
External versus Internal access
Jostle and ADFS communicate over HTTPS, but all the user authentication occurs between your users and ADFS. This gives you the option of controlling whether you allow users to authenticate from outside your network or not. This is controlled through ADFS, and requires no changes on Jostle's side.
3a) Configuring ADFS for Jostle: Configuring the relying party (Deploy certificates)
- Save the Jostle public key certificate below (everything including ---- BEGIN CERTIFCATE ---- and ---- END CERTIFICATE ----) into a file called jostle.cer somewhere in the filesystem
- Start ADFS Management application
- In the Actions menu, select “Add Relying Party Trust” which will bring up the “Add Relying Party Trust Wizard”
- Select "Claims aware" in the Welcome screen and then Click ‘Start’
- Select “Enter data about the relying party manual” and hit ‘Next’
- Enter “Jostle” in Display name and hit ‘Next’
- In the Configure Certificate step, hit ‘Browse’ and choose jostle.cer, then hit ‘Next’
- In the Configure URL step, select ‘Enable support for the SAML 2.0 WebSSO Protocol’ and enter the following into the ‘Relying party SAML 2.0 SSO service URL': https://login-prod.jostle.us/saml/SSO/alias/newjostle.us
- In the Configure Identifiers step, in the ‘Relying party trust identifier’ field enter: https://jostle.us And then hit ‘Add’ and then ‘Next’
- In the Choose Issuance Authorization Rules step, choose ‘Permit everyone’ and the hit ‘Next’
- In the Ready to Add Trust step, hit ‘Next’
- In the Finish step, check the ‘Open the Edit Claim Rules dialog for this relying party when this wizard closes’ and hit ‘Close’
- When the Edit Claims Rules dialog comes up, select ‘Issuance Transform Rules’ tab and hit ‘Add Rule’
- In Choose Rule Type step, under Claim rule template select ‘Send LDAP attributes as Claims’ and hit ‘Next’
- In the Configure Claim Rule step, create a mapping as follows:
- Claim rule name: Email Addresses As Email
- Attribute Store: Active Directory
- Mapping of LDAP attribute to outgoing claim types: E-Mail-Addresses to E-Mail Address
- Create another new rule by clicking 'Add Rule', under Claim rule template select ‘Transform an Incoming Claim’ and hit ‘Next’.
- In the Configure Claim Rule step, create a mapping as follows:
- Claim rule name: Email Address as Name ID
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Select 'Pass through all claim values'
- Note: this rule should be Order 2 and the previous rule is Order 1
- In the ADFS Management application, open the AD FS folder, then open Trust Relationship folder, then select Relying Part Trust’ and then double click on ‘Jostle’ in the Relying Party Trusts list.
- Select Signature tab and then hit ‘Add’, then select ‘jostle.cer’ and then hit ‘Open’, the ‘Apply’ and ‘OK” (if desired, for the Encryption tab leave it blank or add 'jostle.cer').
- Select Advanced tab and change the secure hash algorithm to SHA-256.
- You can optionally setup Single Sign Out. Right click Jostle under the list of Relying Party Trusts and go to Properties. Under the Endpoints tab, click Add SAML, set the Endpoint type to SAML Logout. Binding should be set to Post and the fill in the Trusted URL as follows: https://login-prod.jostle.us/saml/SingleLogout/alias/newjostle.us Hit 'OK' then 'Apply'.
Public Key
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIUeM2GqwQcFOXBpdkxVAsPfQSB6/AwDQYJKoZIhvcNAQEL
BQAwfDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAkJDMRIwEAYDVQQHDAlWYW5jb3V2
ZXIxGzAZBgNVBAoMEkpvc3RsZSBDb3Jwb3JhdGlvbjEbMBkGA1UECwwSSm9zdGxl
IENvcnBvcmF0aW9uMRIwEAYDVQQDDAlqb3N0bGUudXMwIBcNMjUwMjI4MjE0NDI3
WhgPMjA1NTAyMjEyMTQ0MjdaMHwxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzES
MBAGA1UEBwwJVmFuY291dmVyMRswGQYDVQQKDBJKb3N0bGUgQ29ycG9yYXRpb24x
GzAZBgNVBAsMEkpvc3RsZSBDb3Jwb3JhdGlvbjESMBAGA1UEAwwJam9zdGxlLnVz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfy3La92VclqzMdMtNq4
bhnz36cahnFIkgqm21dp0SICcHy6DiQR3XiGiT7jNRsmdpS7eBUz6ZMK5aBFVgBL
vNg61331WdlEw6Mx97ZDO3VizxjZLeQUQbkTxPCu6bKBBUVug1rq4Yfp3o8vBufs
GP0RhOonsY4mgxOUD/qhubhvwjbXmO09oz0VSTNN+S4irYhOcV2kmlJgLEzUR7Uo
pxygLlT3/Z3+sKjoGLTXTxqP3jQ5Qw2EY6FlaMrqSXD+f9hruymlj+Ga6vd986XK
L3WT1BwuwMlqijPdrO7xcnnQ5YnCqP10OHBQd43LSP066WsF52tbmMsepVuxnMth
AwIDAQABo1MwUTAdBgNVHQ4EFgQUJtXdhEelyPpugiOZ/pP6yLtNtkIwHwYDVR0j
BBgwFoAUJtXdhEelyPpugiOZ/pP6yLtNtkIwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEALMcGlpDE2VKgQtvHRtRv1xfcyu/5emFcb3lD2orDiIO9
PZopEGikq5cHpDI6EYRXVmRTkhLiyIu/ad3jt4s1qLp3Cy9hKC3CslDGVCxGJGNe
V851cA4DI+HNLYRfILfRHbekpGcli7d60NdSQMDYjL2B5m4JrAHjuum8puNtK4i/
jZ5oahyKqrYTFIxW61P1kwMU1Vdt5JZBaWlUjDnSP3dS7a5m9LMNiNhdv1jw2eBW
+GFrD78LDkOON4L3LlEKl7GkcQxI7mtvlk1vx3Pc8lcVmECxFF0nxC3LgkCdsqui
osp4lCh8sLF2G0W8QtS9sffFY9pCHLc2jj6JQzExfw==
-----END CERTIFICATE-----
3b) Set the NotBeforeSkew to allow for time drift between your server and ours:
Open Windows PowerShell via the Start Menu, and run these commands:
ADFS 2.0
1) Add-PSSnapin Microsoft.Adfs.PowerShell
#Load up the ADFS PowerShell plug in
2) Get-ADFSRelyingPartyTrust –identifier “https://jostle.us”#Just to see what the values were
3) Set-ADFSRelyingPartyTrust –TargetIdentifier “https://jostle.us” –NotBeforeSkew 2#Set the skew to 2 minutes
ADFS 3.0
1) Get-ADFSRelyingPartyTrust –identifier “https://jostle.us”
#Just to see what the values were
2) Set-ADFSRelyingPartyTrust –TargetIdentifier “https://jostle.us” –NotBeforeSkew 2#Set the skew to 2 minutes
We have found that this is almost always necessary to ensure reliable user authentications.
Note that if you are using a subdomain, the identifier will be "https://<subdomain>.jostle.us"
3c) Configure Forms-based Authentication
ADFS 2.0
We've found that forms-based authentication (as opposed to ADFS' default of Windows-integrated authentication) supports a wider range of client browsers and operating systems, so we strongly encourage you to use this. To make that switch:
Open "c:\inetpub\adfs\ls\web.config"
change:
<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />
to:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
5. Convert Jostle password users to SSO
As you likely already have a few users who are using Jostle passwords, see our guide for converting those accounts to SSO authenticated.
TIP: Using SSO with the Jostle mobile app (iOS)
Our iOS mobile app does not support ADFS other than form-based configuration. For mobile iOS users, take these steps to avoid problems (eg. blank pages) when accessing Jostle via SSO:
- make sure that the form-based configuration is ON in your ADFS.
- make sure Mozilla/5.0 is not added in the list of WIASupportedUserAgents (since this will force the iOS device to use Windows Authentication, which will fail).
2 Comments