Configuring SSO between Samanage and ADFS

Document created by Joseph Brown Employee on Jan 24, 2017Last modified by Joseph Brown Employee on May 23, 2017
Version 2Show Document
  • View in full screen mode

In order to setup SSO (Single Sign On) between Samanage and your ADFS (Active Directory Federation Services) server, the following configuration procedure should be followed:

 

In Samanage:

Enter your Identify Provide URL. For ADFS see screenshot below, and make sure you have the correct certificate:

19288-hb95sg_inline.png

If you wish your users to always login via Active Directory SSO - please check the box before ‘Redirect to the saml login page when logging into Samanage by default’ (at the bottom of screenshot above).

 

In your ADFS server:

 

  1. Set relying party to samanage.com. The relying party’s federation metadata url is:https://YOURACCOUTNAME.samanage.com/saml/metadata

  2. Define your endpoints: https://app.samanage.com/saml/YOURACCOUNTNAME  andhttps://YOURACCOUNTNAME.samanage.com

  3. If you set the CNAME in Samanage, e.g. https://support.YOURACCOUNT.com also add this as an endpoint.

  4. Add a claims rule: We need to receive the request with NameID and the NameID format should be email. So you need to set ‘Outgoing claim type’ NameID and ‘Outgoing name ID format’ Email, see screenshot

pastedImage_62.png

 

In some organizations the above instructions may not work. This is what you have to do to get it to work when  "AD FS 1.x E-Mail Address" is selected for "Incoming Claim Type":

  • Open AD FS Management Console
  • Go to "Trust Relationships"
  • Go to "Relying Party Trust"
  • Highlight the Rule you have created for Samanage
  • Click "Edit Claim Rules"
  • Click "Add Rule"
  • Select "Send LDAP Attributes as Claims"
  • Name the rule whatever you wish
  • Select the "Active Directory" attribute store
  • For the LDAP Attribute select "E-Mail Addresses"
  • For the Outgoing Claim Type select "AD FS 1.x E-Mail Address"
  • Click Ok
  • Click Apply
  • Click Ok

 

If you ever have the issue of Single Sign On working in Internet Explorer but not in Firefox, Chrome, or another browser then this may be the fix.

 

Try the following fix on the ADFS server using Powershell (Ran as Administrator)

  1. Disable Extended Protection in ADFS 3.0
    1. Set-ADFSProperties –ExtendedProtectionTokenCheck None
  2. Enable Chrome as a valid User Agent for NTLM authentication
    1. Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0′′, “MSIE 7.0′′, “MSIE 8.0′′, “MSIE 9.0′′, “MSIE 10.0′′, “Trident/7.0′′, “MSIPC”, “Windows Rights Management Client”, "Mozilla/5.0")

Attachments

    Outcomes