ADFS is a Microsoft’s Single Sign On solution and a popular web-based authentication service. The service is primarily used to provide one set of login credentials i.e. username and password to access multiple applications and a variety of sites not necessarily hosted within the same domain. 


To integrate your corporate Active Directory to any third party application you need to setup ADFS role which will provide SSO and the users will be able to login to the application with their Active Directory credentials. 


This article uses SAML-P protocol to do authentication.


Configuration consists of following two sections which consist detail steps of configuration:


  • Relying Party Configuration in ADFS
  • Service Provider Configuration in VIDIZMO



Relying Party Configuration in ADFS


1. Run Remote Desktop Connector on your machine:


i. Enter the Computer's IP Address with which you want to connect remotely.

ii. Click on Connect.




2. The ADFS Management Console will open after successful connection:


i. Click on Tools.

ii. Select AD FS Management from the dropdown list.




3. At AD FS Console:


i. Click on Trust Relationships.

ii. Select Relying Party Trusts under it.

iii. Now click on Add Relying Party Trust... to add a new relying party.




4. The Add Relying Party Trust Wizard will run. Click on Start to begin.




5. At Select Data Source screen, select an option that the wizard will use to obtain data about relying party:


i. Select Enter data about the relying party manually option.

ii. Click Next >.




6. At Specify Display Name screen:


i. Enter a suitable Display name.

ii. Click Next > to proceed.




7. In this step, we have to Choose Profile for our relying party trust. As this is done using the SAML Protocol:


i. Select AD FS profile.

ii. Click Next.




8. The next step is of Configure Certificate. As Token Encryption certificate is not supported by VIDIZMO, it is recommended to leave it blank. Click Next to proceed to the next step of the wizard.




9. At Configure URL which will setup SAML-P: 


i. Select Enable support for the SAML 2.0 WebSSO protocol checkbox. 

ii. Enter the Relying Party SSO Service URL which will be: https://[your VIDIZMO domain]/handlers/signinhandler.ashx

iii.  Click Next > to proceed.




10. At Configure Identifiers screen:


i. Enter Relying party trust identifier. Note that this is your VIDIZMO account domain without Http or Https protocol. For instance, lexcorptrainings.enterprisetube.com.

ii. Click Add.




11. The Relying party trust identifier is successfully added. Click Next > to proceed.




12. There is no need to configure multi-factor authentication, therefore:


i. Select the option I do not want to configure multi-factor authentication setting for this relying party trust at this time.

ii. Click Next > to proceed.




13.  At Choose Issuance Authorization Rules screen:


i. Select Permit all users to access this relying party option.  

ii. Click Next >.




14. You are about to add a relying party trust successfully. You can review the settings at this stage. You can go back by clicking on Previous to make changes if required. Click on Next to continue.




15. The Relying Party Trust is successfully added. Click Close.


Note: Make sure to select the checkbox Open the Edit Claim Rules dialog for this relying party trust when the wizard closes




16. Another window of Edit Claim Rules for [Relying Party Trust] will open. At Issuance Transform Rules tab, click on Add Rule...




17.  Add Transform Claim Rule Wizard will open. At Choose Rule Type screen, select Send LDAP Attributes as Claims as the Claim rule template from the dropdown list. Click Next > to proceed.




18. You will move on to Configure Claim Rule screen:


i. Enter Claim rule name.

ii. Select Active Directory as the Attribute store from the dropdown list.

iii. Start Mapping LDAP attributes to outgoing claim types.


The LDAP Attribute column shows the claims available from Active Directory and Outgoing Claim Type are claim types which will be sent to VIDIZMO.


LDAP ATTRIBUTE
OUTGOING CLAIM TYPE
E-Mail-Addresses
User.Email
Given-Name
User.FirstName
Surname
User.LastName
User-Principal-Name
Primarysid
Token-Groups – Unqualified Names
Groups




19. Once all the LDAP Attributes to outgoing claim types are added, click Finish.



20. The Claim Rule is successfully added:


i. Click on Apply to save changes.

ii. Click OK to close the screen.




21. Now at AD FS Management Console:


i. Click on Service.

ii. Click on Edit Federation Service Properties...




22. Federation Service Properties window will open. Copy the Federation Service Name which will be used while doing Configuration on VIDIZMO.




Service Provider Configuration in VIDIZMO


1. At Account/Channel Homepage, go to Admin >> Settings.




2. At Settings page, click on Login tab.




3. Click on Enable under the Corporate Login box.




4. Select Identity Provider (SAMLP) from the dropdown list.




5. Now: 


i. Enter Login URL of ADFS. An example of such a URL is https://adfs.vidizmo.com/adfs/ls/. The URL must have "/" in the end.

ii. Enter Sign-In Caption.

iii. Enter Sign-In Caption Tooltip. This is shown on the sign in page of the application.

iv. Click Next (>) icon.




6. Here:


i. Enter SAMLP Request which is given below.

ii. Click on Next (>) icon.


For HTTP accounts:


<samlp:AuthnRequest ID="_4d7cb64d-d38e-46fd-ac87-2671d4173eaf" Version="2.0" IssueInstant="2013-24-22T8:24:03Z" AssertionConsumerServiceURL="https://<VIDIZMO Account URL>/handlers/signInhandler.ashx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><VIDIZMO Account URL></saml:Issuer></samlp:AuthnRequest>


For HTTPS accounts:


<samlp:AuthnRequest ID="_4d7cb64d-d38e-46fd-ac87-2671d4173eaf" Version="2.0" IssueInstant="2013-24-22T8:24:03Z" AssertionConsumerServiceURL="https://<VIDIZMO Account URL>/handlers/signInhandler.ashx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><VIDIZMO Account URL></saml:Issuer></samlp:AuthnRequest>


  Note: Replace [VIDIZMO Account URL] with the URL of your Account/Channel.




7. Here:


i. Select Enabled SAMLP Request checkbox.

ii. Click on Done.




8. Now click Enable under Trusted Domains box.




9. At Trusted Domains:


i. Enter the Federation Service Name copied in Step 23 of Configuration on ADFS and adfs.vidizmo.com

ii. Select Allow embedding on above domain(s) only checkbox.

iii. Click on Done.




10. Click on Update to save changes.

 



11. A message will appear stating: Channel details have been updated successfully. SSO has been successfully set up using ADFS 3.0.




Result


1. At the top menu bar, click on Sign In.




2. At Sign In page, click on ADFS 3.0 to sign into an Account/Channel.




3. You will redirect to Channel Homepage.




Roles


Administrator, Manager.