Overview
SSO will allow you to use your existing Active Directory userbase as user management for your Jostle platform. In other words, Jostle will not create usernames and passwords for you in the application, but instead when your users access Jostle, Jostle will pass back the authentication request to your AD domain. This is done through an AD add-on called Active Directory Federation Services (ADFS).
The main benefits are:
- You get to manage only one set of user credentials across your organization via AD.
- Once you log into one SSO application your authentication stays valid for the others.
It does not inherently:
- Allow password-less logins.
Steps to get ADFS/SSO up and running
- Set up a public-facing domain name for the ADFS server
- Purchase an SSL certificate for the ADFS domain
- Install ADFS on your AD server, or domain controller
- Send us the XML meta data **
- Convert existing users from Jostle password to SSO
- TIP: Using SSO with the Jostle mobile app (iOS)
** It is important to get this data 1 week prior to when you want to start using SSO. This will allow us enough time to deploy your data, and test.
1. Set up a public-facing domain name for the ADFS server
Communication between Jostle and ADFS occurs over HTTPS, therefore you will need a domain or sub domain to use for your ADFS server, with a published DNS record (ie Internet routable). We should be able to resolve the address from our office (usually loads the default IIS server page). Access can be restricted to the HTTPS default port (443), but for testing purposes ICMP and port 80 should be allowed through as well.
2. A certificate from a well-known certificate authority
The domain used in step 1 needs to be secured via SSL. It is best to use any SSL provider that is by default part of most browsers trusted certificate authority list. Here are a few companies that are by default included:
3. General ADFS set up
If you are going to use ADFS, you have to install and configure ADFS 2.0. The installation and configuration is specific to your environment including configuration related to your Active Directory, the details of which are beyond the scope of this article. As part of this set up, you will have to get an SSL certificate (if you don’t already have one that you plan to use) since ADFS will act as the identity provider and the protocol will be using HTTPS. Once you have done the general installation and set up, you can use the instructions below to integrate with Jostle.
How to install ADFS
Install the ADFS 2.0 Software (Microsoft)
External versus Internal access
Jostle and ADFS communicate over HTTPS, but all the user authentication occurs between your users and ADFS. This gives you the option of controlling whether you allow users to authenticate from outside your network or not. This is controlled through ADFS, and requires no changes on Jostle's side.
3a) Configuring ADFS for Jostle: Configuring the relying party (Deploy certificates)
- Save the Jostle public key certificate below (everything including ---- BEGIN CERTIFCATE ---- and ---- END CERTIFICATE ----) into a file called jostle.cer somewhere in the filesystem
- Start ADFS Management application
- In the Actions menu, select “Add Relying Party Trust” which will bring up the “Add Relying Party Trust Wizard”
- Select "Claims aware" in the Welcome screen and then Click ‘Start’
- Select “Enter data about the relying party manual” and hit ‘Next’
- Enter “Jostle” in Display name and hit ‘Next’
- In the Configure Certificate step, hit ‘Browse’ and choose jostle.cer, then hit ‘Next’
- In the Configure URL step, select ‘Enable support for the SAML 2.0 WebSSO Protocol’ and enter the following into the ‘Relying party SAML 2.0 SSO service URL': https://login-prod.jostle.us/saml/SSO/alias/newjostle.us
- In the Configure Identifiers step, in the ‘Relying party trust identifier’ field enter: https://jostle.us And then hit ‘Add’ and then ‘Next’
- In the Choose Issuance Authorization Rules step, choose ‘Permit everyone’ and the hit ‘Next’
- In the Ready to Add Trust step, hit ‘Next’
- In the Finish step, check the ‘Open the Edit Claim Rules dialog for this relying party when this wizard closes’ and hit ‘Close’
- When the Edit Claims Rules dialog comes up, select ‘Issuance Transform Rules’ tab and hit ‘Add Rule’
- In Choose Rule Type step, under Claim rule template select ‘Send LDAP attributes as Claims’ and hit ‘Next’
- In the Configure Claim Rule step, create a mapping as follows:
- Claim rule name: Email Addresses As Email
- Attribute Store: Active Directory
- Mapping of LDAP attribute to outgoing claim types: E-Mail-Addresses to E-Mail Address
- Create another new rule by clicking 'Add Rule', under Claim rule template select ‘Transform an Incoming Claim’ and hit ‘Next’.
- In the Configure Claim Rule step, create a mapping as follows:
- Claim rule name: Email Address as Name ID
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Select 'Pass through all claim values'
- Note: this rule should be Order 2 and the previous rule is Order 1
- In the ADFS Management application, open the AD FS folder, then open Trust Relationship folder, then select Relying Part Trust’ and then double click on ‘Jostle’ in the Relying Party Trusts list.
- Select Signature tab and then hit ‘Add’, then select ‘jostle.cer’ and then hit ‘Open’, the ‘Apply’ and ‘OK” (if desired, for the Encryption tab leave it blank or add 'jostle.cer').
- Select Advanced tab and change the secure hash algorithm to SHA-256.
- You can optionally setup Single Sign Out. Right click Jostle under the list of Relying Party Trusts and go to Properties. Under the Endpoints tab, click Add SAML, set the Endpoint type to SAML Logout. Binding should be set to Post and the fill in the Trusted URL as follows: https://login-prod.jostle.us/saml/SingleLogout/alias/newjostle.us Hit 'OK' then 'Apply'.
Public Key
-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIECbNOhTANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJD
QTELMAkGA1UECBMCQkMxEjAQBgNVBAcTCVZhbmNvdXZlcjEbMBkGA1UEChMSSm9z
dGxlIENvcnBvcmF0aW9uMRswGQYDVQQLExJKb3N0bGUgQ29ycG9yYXRpb24xEjAQ
BgNVBAMTCWpvc3RsZS51czAeFw0xNTAzMTExNzA5MjRaFw0yNTAzMDgxNzA5MjRa
MHwxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJCQzESMBAGA1UEBxMJVmFuY291dmVy
MRswGQYDVQQKExJKb3N0bGUgQ29ycG9yYXRpb24xGzAZBgNVBAsTEkpvc3RsZSBD
b3Jwb3JhdGlvbjESMBAGA1UEAxMJam9zdGxlLnVzMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArfy3La92VclqzMdMtNq4bhnz36cahnFIkgqm21dp0SIC
cHy6DiQR3XiGiT7jNRsmdpS7eBUz6ZMK5aBFVgBLvNg61331WdlEw6Mx97ZDO3Vi
zxjZLeQUQbkTxPCu6bKBBUVug1rq4Yfp3o8vBufsGP0RhOonsY4mgxOUD/qhubhv
wjbXmO09oz0VSTNN+S4irYhOcV2kmlJgLEzUR7UopxygLlT3/Z3+sKjoGLTXTxqP
3jQ5Qw2EY6FlaMrqSXD+f9hruymlj+Ga6vd986XKL3WT1BwuwMlqijPdrO7xcnnQ
5YnCqP10OHBQd43LSP066WsF52tbmMsepVuxnMthAwIDAQABoyEwHzAdBgNVHQ4E
FgQUJtXdhEelyPpugiOZ/pP6yLtNtkIwDQYJKoZIhvcNAQELBQADggEBAFrZtlpC
uM9upH8efncXRCVz+sv0dL4Vu48GhuwcUqy5FCDedChkmFvrBUpcu1BRel92eBif
VWtALEM2J5XrnrJlvrkxZ9tU2V+tR6NOlmFg7bO245I0g5y9Bu8cHT1tupwy25E/
AZRu3wQGLdvDgJaXeWICEx1wfl+l5Dx1KQ7mjlsL2lRZIMbPd547bQmcnkOC7MJu
MQS0QwpodNNGauQcNfxrRkkBmbZ9sqaPCyXn87In2FeqBfOfEnzyCwdMpTafxUa1
GFZA5f8v+MyCJt4osvGdoMMQqeLmaPlX/1EvvWM4NiYU3E0ObmNc3IYKoPyrLOfm
o9rsl1Kfb1ublsA=
-----END CERTIFICATE-----
3b) Set the NotBeforeSkew to allow for time drift between your server and ours:
Open Windows PowerShell via the Start Menu, and run these commands:
ADFS 2.0
1) Add-PSSnapin Microsoft.Adfs.PowerShell
#Load up the ADFS PowerShell plug in
2) Get-ADFSRelyingPartyTrust –identifier “https://jostle.us”#Just to see what the values were
3) Set-ADFSRelyingPartyTrust –TargetIdentifier “https://jostle.us” –NotBeforeSkew 2#Set the skew to 2 minutes
ADFS 3.0
1) Get-ADFSRelyingPartyTrust –identifier “https://jostle.us”
#Just to see what the values were
2) Set-ADFSRelyingPartyTrust –TargetIdentifier “https://jostle.us” –NotBeforeSkew 2#Set the skew to 2 minutes
We have found that this is almost always necessary to ensure reliable user authentications.
Note that if you are using a subdomain, the identifier will be "https://<subdomain>.jostle.us"
3c) Configure Forms-based Authentication
ADFS 2.0
We've found that forms-based authentication (as opposed to ADFS' default of Windows-integrated authentication) supports a wider range of client browsers and operating systems, so we strongly encourage you to use this. To make that switch:
Open "c:\inetpub\adfs\ls\web.config"
change:
<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />
to:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
5. Convert Jostle password users to SSO
As you likely already have a few users who are using Jostle passwords, see our guide for converting those accounts to SSO authenticated.
TIP: Using SSO with the Jostle mobile app (iOS)
Our iOS mobile app does not support ADFS other than form-based configuration. For mobile iOS users, take these steps to avoid problems (eg. blank pages) when accessing Jostle via SSO:
- make sure that the form-based configuration is ON in your ADFS.
- make sure Mozilla/5.0 is not added in the list of WIASupportedUserAgents (since this will force the iOS device to use Windows Authentication, which will fail).
2 Comments