Active Directory Federation Services (AD FS) is a service that facilitates direct Single Sign On when using Active Directory (AD). AD FS can be installed on your Windows Server and can provide a AD FS bridge which connects an external systems (in this case your Activate LMS) with your database of user information in your Active Directory. You can read more about AD FS in this article: https://msdn.microsoft.com/en-us/library/bb897402.aspx.
Please note that login is still possible for external users that are registered in your Activate LMS - but not in your AD. AD FS can also be used with automatic user sync, but then it might cause issues when using user creation "on the fly" (where users are created the first time they log in).
The configuration of an AD FS bridge requires assistance from an Activate LMS consultant, so please contact us using this form to get in contact with us.
Configuration ADFS Bridge
Prior to starting the configuration of your ADFS Bridge, there is a few thing you need to know/decide first:
- The name of the AD FS Bridge that you wish to configure. This address needs to be added to your Relying Party Trusts in your AD FS Management. Example: https://adfsLogin.yourDomain.com
- An URL to your ADFSMetadata.xml file. Please note that this address is casesensitive.
- An URI used as a key when setting up your Relied Trust Identifier. This can be same as the name in item 1.
- A list of domains that needs to be redirected. Example: yourCompany.com, yourCompany.co.uk, yourCompany.dk. This is needed if multiple users with different domains will be using the same AD FS Bridge.
- If your AD FS is offline, we need to know, since validation will go through your users PC instead, which will require a customised solution. This might seem a little odd, but if this is the case we need a path to a graphic file, to validate that the user is connected to the AD FS. Example: https://adfs.domain.local/adfs/portal/logo/logo.png.
Configuration of Relying Party Trusts
Now we need to configure your AD FS Bridge as a relying party in your ADFS management. Please note that in this example all configuration will be done using Windows Server 2012 R2.
- First we need to navigate to the Relying Party Trusts folder (this can be found in AD FS/Trust Relationships/Relying Party Trusts)
- You can now right click on the folder, and continue by clicking Add Relying Party Trust.
- Now a wizard will open. Click next immediately on the welcome page, and select Enter data about the relying party manually.
- Enter the name of your AD FS Bridge in the Display name field.
- Select AD FS profile.
- Continue on the next screen without specifying anything further.
- Check Enable support for the WS-Federation Passive protocol and type in the URL of your AD FS Bridge in Relying Party WS-Federation Passive protocol URL.
Please note that the WS-Federation Passive endpoint and SAML Assertion Consumer endpoint should be configured on newer verisons of AD FS. - Now you must add the URI used as a key (this can be the same as your AD FS Bridge's name/URL).
- Select I do not want to configure multifactor authentication settings for this relying party trust at this time.
- Select Permit all user to access this relying party.
- Continue on the next screen without specifying anything further.
- Check Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. This will open a new dialog when the wizard closes.
- In the new dialog, select Add Rule.
- Select Send LDAP Attributes as Claims in the Claim rule template dropdown menu.
- Type in the AD FS Bridge name in Claim Rule Name, and specify Attribute store as Active Directory and Mapping of LDAP attributes to outgoing claim types as: Display-Name -> Name and User-Principal-Name -> UPN. The details of these types can be seen in the next paragraph regarding claims.
- Great success! Your AD FS Bridge has now been configured.
Details of Claims
Claims are the medium used for communication between your AD FS and Activate LMS. When configuring SSO, the most interesting fields are:
- Name: Name of the user. Often only used in debugging.
- User Principal Name (UPN): A unique key used to relate users in your Activate LMS and AD. This can be the user's email, but we do not recommend this under normal circumstances.
- Email, GivenName, SurName etc.
Passwords
When a user is created in Activate LMS using AD FS, Activate LMS will generate a separate password for use only on Activate LMS. This password has nothing to do with the password used in your AD. The password can be used for external login (login without using AD FS). If you wish that your users will only be able to log in using AD FS, it is possible to hide this feature from your users.
Troubleshooting
When configuring a AD FS Bridge you can, in general, experience three types of errors:
- Your AD FS Bridge can't find the file used for testing the connection to your AD FS. The consequence is that no validation is done, meaning you can't enter your Acitvate LMS.
Solution: Test the URL in different browser, and make sure you're using https, since AD FS uses https (and not only http). - Your ADFS Bridge can find the file used for testing the connection to your ADFS, but you still get an error.
Solution: This one is hard to handle but the problem may be caused by a bad configuration of the realm in your AD FS or webconfig, or the server is faulty. - You're logged in using AD FS, but the user can't be found on your Activate LMS. When trying to log in, your Activate LMS delivers an error ("The user does not exist.") on this site: /Home/ErrorGetLink.
Solution: Create the user manually in your Activate LMS, and make sure the information is matching the user's information in your AD.