ADFS is a Microsoft’s Single Sign On solution and a popular web-based authentication service. The service is primarily used to provide one set of login credentials i.e. username and password to access multiple applications and a variety of sites not necessarily hosted within the same domain. To integrate your corporate Active Directory to any third party application you need to setup ADFS role which will provide SSO and the users will be able to login to the application with their Active Directory credentials.
Here is how you can setup SSO using ADFS 2.0:
To implement the ADFS integration on VIDIZMO, you are required to have:
- Administrative rights on organization’s Active Directory and ADFS implementation.
- Public domain or sub-domain has to be available which points to this server and resolves publically over the internet.
- A valid SSL certificate is required from a 3rd party domain needs to be installed on this server as well so that it can handle HTTPS request.
Note: This document assumes that you have already installed ADFS role on a separate server connected to your domain. In this article, we are using certificate *.vidizmo.com.
Relying Party Configuration in ADFS
1. Run Remote Desktop Connector on your machine and connect to the remote machine. You will be prompted for credentials:
i. Click on Use a different account option.
ii. Enter the username.
iii. Enter the password.
iv. Click OK to connect.
2. The ADFS Management Console will open after successful connection:
i. Click on Tools.
ii. Select AD FS Management from the dropdown list.
3. At AD FS Console:
i. Click on Trust Relationships.
ii. Select Relying Party Trusts under it.
iii. Now click on Add Relying Party Trust... to add a new relying party.
4. The Add Relying Party Trust Wizard will run. Click on Start to begin.
3. At Select Data Source step, select an option that the wizard will use to obtain data about this relying party.
i. Select Import data about the relying party published online or on a local network option and enter the following URL in Federation metadata address (host name or URL) textbox:ii. Click Next >.
4. At Specify Display Name step:
i. Enter a suitable Display name.
ii. Click Next > to proceed.
5. At the Choose Issuance Authorization Rules step, you have to set the initial behavior of the relying party's issuance authorization rules.
i. Select the Permit all users to access this relying party option
ii. Click Next
6. You are about to add a relying party trust successfully. You can review the settings at this stage. You can go back by clicking on Previous to make changes if required. Click on Next to continue.
7. The Relying Party Trust is successfully added. Click Close.
Note: Make sure to select the checkbox Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
8. Now at ADFS Management Console, right click on the recently added Relying Party Trust and go to Properties.
9. [Relying Party Trust] Properties window will open. Click on Test URL.
10. A popup window will appear with a message stating: The federation metadata URL was validated successfully. Click OK to continue.
11. At ADFS Management Console, select the Relying Party Trust and click on Edit Claim Rules...
12. A window of Edit Claim Rules for [Relying Party Trust] will open. At Issuance Transform Rules tab, click on Add Rule...
i. Enter Claim rule name.
ii. Select Active Directory as the Attribute store from the dropdown list.
iii. Start Mapping LDAP attributes to outgoing claim types.
iv. Click on Finish.
15. At Edit Claim Rules for [Relying Party Trust] window, click on Add Rule... again to add another claim rule.
16. Add Transform Claim Rule Wizard will open. At Choose Rule Type screen, select Pass Through or Filter an Incoming Claim as the Claim rule template from the dropdown list.
17. Click Next > to proceed.
i. Enter Claim rule name.
ii. Select Incoming claim type from the dropdown list.
iii. Click on Finish.
19. The Claim rule will be successfully added.
20. Repeat the same steps to add more claim rules as given below. Once done:
i. Click on Apply to save changes.
ii. Click OK to close the window.
Outgoing Claim Type
Token-Groups - Qualified by Domain Name
Service Provider Configuration in VIDIZMO
Once you are done with the mapping, you need to provide following information regarding your ADFS implementation to VIDIZMO support team at firstname.lastname@example.org
1. At ADFS Management Console:
Click on WS-Federation Identity Providers for more details.
2. Realm: uniquely identify that ACS identity provider uses during protocol transactions. Click on WS-Federation Identity Providers for more details.
3. A Test Active Directory accounts with minimum privileges to successfully authenticate. This is optional and only required if you would like VIDIZMO to test and validate Singe Sign On function.
You can send this information via email to email@example.com and/or the VIDIZMO account manager you are engaged with. VIDIZMO implementation team will use this information to configure Single Sign-on with your VIDIZMO account. This involves:
- Configuration of ACS rule
- Testing & Validation of rule
- Testing & Validation of SSO function
Once completed, the Corporate Login button will appear on the Sign In page. Click on it.
You will redirect to the organization's login page.
After successfully signing in, you will redirect to Channel's Homepage.