SAML Single Sign-On (SSO) for Active Directory Federation Service (ADFS)

SAML Single Sign-On (SSO) for Active Directory Federation Service (ADFS)

Overview

Security Assertion Markup Language (SAML) stands as an open standard designed for the exchange of authorization data, facilitating seamless Single Sign-On (SSO) access across various applications through a unified authentication process. Gearbox provides SAML-based SSO integration with multiple service providers. This article will guide you through the configuration steps using Active Directory Federation Service (ADFS).

Upon activation, users can access their accounts through SSO seamlessly.


To use ADFS, You must have the following to complete this setup:
  1. Gearbox administrative privileges.
  2. An Active Directory instance where all users have an email address attribute.
  3. A SSL certificate to sign your ADFS login page


High-Level Workflow


Setup

1. Login to Gearbox and Click on the User Icon (1) navigate to Settings (2)



2. In the side bar, scroll down to Integrations (3)



3. Locate the "SAML Single Sign-On" panel and click on it to reveal the settings (1).



4. Enable (1) SAML single sign-on, then enter the Sign Sign-On URL (2) and optional metadata URL (3) of your identify provider for Gearbox to contact (these URLs must use HTTPS). Lastly, paste in the full signing certificate (4) from your identity provider and click Save (5).


5. Once successfully saved, the following information will be provided to assist with setting up the identity provider.


6. Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust. In the Select Data Source screen, select the first option, Import data about the relying party published online or on a local network. On the next screen, enter a Display name that you’ll recognise in the future, and any notes you want to make.



7. On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.


8. On the next screen, select the Permit all users to access this relying party radio button.



9. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.
10. Once the relying party trust has been created, you can create the claim rules which are required to map user data from active directory to the SAML 2.0 message.



11. To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.



12. On the next screen, using Active Directory as your attribute store, do the following:
  1. From the LDAP Attribute column, select E-Mail Addresses.
  2. From the Outgoing Claim Type, select E-Mail Address.
  3. From the LDAP Attribute column, select Given-Name.
  4. From the Outgoing Claim Type, enter First Name.
  5. From the LDAP Attribute column, select Surname.
  6. From the Outgoing Claim Type, enter Last Name.
  7. Click on OK to save the new rule.

13. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.


14. On the next screen:
  1. Select E-mail Address as the Incoming Claim Type.
  2. For Outgoing Claim Type, select Name ID.
  3. For Outgoing Name ID Format, select Email.
  4. Leave the rule to the default of Pass through all claim values.
  5. Click OK to create the claim rule, and then OK again to finish creating rules


15.Navigate to ADFS certificates (1), click on token-signing certificate (2) to view certificate (3).

16. Copy certificate to file.


17. Choose Base-6 encoded X.509 (.CER)


18. Copy the contents of the saved file and paste it to Gearbox’s SAML full signing certificate.


    • Related Articles

    • SAML Single Sign-On (SSO) for Microsoft's Azure Active Directory (Azure AD)

      Overview Security Assertion Markup Language (SAML) stands as an open standard designed for the exchange of authorization data, facilitating seamless Single Sign-On (SSO) access across various applications through a unified authentication process. ...
    • SAML Single Sign-On (SSO) for Okta

      SAML Single Sign-On (SSO) for Okta Overview Security Assertion Markup Language (SAML) stands as an open standard designed for the exchange of authorization data, facilitating seamless Single Sign-On (SSO) access across various applications through a ...
    • Service Groups, Settings and Checklists

      Overview Service Groups (or templates) are used to define an assets service intervals, services tolerances and jobcard checklist items. Gearbox will allow as many different service groups as you need. These may vary between "prime movers" or "plant" ...
    • Create a Service

      Overview Gearbox prompts for services due based on kilometers/miles, hours, days, or any combination of these metrics. Checklists, intervals, and alerts are configured within Service Groups, to which vehicles are then added. Creating a Service 1. ...
    • Service Jobcard Settings

      Overview Gearbox printed Service Jobcards feature many configurable settings to adjust the layout and content of the jobcard. Change Jobcard Settings 1. Click your User Icon (1) then click Settings (2) Service Jobcard Settings - User Icon Settings 2. ...