In order to setup SSO (Single Sign On) between Samanage and your ADFS (Active Directory Federation Services) server, the following configuration procedure should be followed:
Enter your Identify Provide URL. For ADFS see screenshot below, and make sure you have the correct certificate:
If you wish your users to always login via Active Directory SSO - please check the box before ‘Redirect to the saml login page when logging into Samanage by default’ (at the bottom of screenshot above).
In your ADFS server:
- Set relying party to samanage.com. The relying party’s federation metadata url is:https://YOURACCOUTNAME.samanage.com/saml/metadata
- Define your endpoints: https://app.samanage.com/saml/YOURACCOUNTNAME andhttps://YOURACCOUNTNAME.samanage.com
- If you set the CNAME in Samanage, e.g. https://support.YOURACCOUNT.com also add this as an endpoint.
- Add a claims rule: We need to receive the request with NameID and the NameID format should be email. So you need to set ‘Outgoing claim type’ NameID and ‘Outgoing name ID format’ Email, see screenshot
In some organizations the above instructions may not work. This is what you have to do to get it to work when "AD FS 1.x E-Mail Address" is selected for "Incoming Claim Type":
- Open AD FS Management Console
- Go to "Trust Relationships"
- Go to "Relying Party Trust"
- Highlight the Rule you have created for Samanage
- Click "Edit Claim Rules"
- Click "Add Rule"
- Select "Send LDAP Attributes as Claims"
- Name the rule whatever you wish
- Select the "Active Directory" attribute store
- For the LDAP Attribute select "E-Mail Addresses"
- For the Outgoing Claim Type select "AD FS 1.x E-Mail Address"
- Click Ok
- Click Apply
- Click Ok
If you ever have the issue of Single Sign On working in Internet Explorer but not in Firefox, Chrome, or another browser then this may be the fix.
Try the following fix on the ADFS server using Powershell (Ran as Administrator)
- Disable Extended Protection in ADFS 3.0
- Set-ADFSProperties –ExtendedProtectionTokenCheck None
- Enable Chrome as a valid User Agent for NTLM authentication
- Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0′′, “MSIE 7.0′′, “MSIE 8.0′′, “MSIE 9.0′′, “MSIE 10.0′′, “Trident/7.0′′, “MSIPC”, “Windows Rights Management Client”, "Mozilla/5.0")