Skip to main content

Steps to configure SAML 2.0 SSO with Microsoft Active Directory Federation Services

PRODUCTS:   Learn

Note: ADFS 2.0 on Windows Server 2008 r2 or ADFS 3.0 on Windows Server 2012 / 2012 r2)

SAML 2.0 single sign-on (SSO) supports integration with Microsoft Active Directory Federation Services (ADFS) 3.0.

Requirements

  • A fully installed and configured ADFS service.

  • A server running Microsoft Server 2008r2 or 2012/2012r2

  • An SSL certificate to sign your ADFS login page and the thumbprint of that certificate

In this example we are using ADFS 2.0 on Windows Server 2008 R2. On Windows Server 2012 the steps will be the same except for the installation, because you install AD FS role via the server manager, not via the installation package as on Windows 2008 server r2.

Step 1. AD FS Management

Login in to your AD FS server and launch the ADFS Management Console via the shortcut in Control Panel\Administrative Tools.

txyVmpwGv__tSTGJwXYyz0yC82ytijIjSb4t7TwX5aj2V7PBfMQHxioflnVrcd2zqsxe_DCaLQ3rsJMBsv1erQR9aFIRqDhL8G9x2Q1MFc5Gu3iKLfJ2Q2wBOQ6-0DUE1vbajQKM

Step 2. Check AD FS settings

Right-click on Service and sel ect Edit Federation Service Properties...

vpNhOmi5zA7XXr4zymN9Z2U4N5FQ5qsIaRdfJlknxBk8uXBO9wYo_mC3WsG9XQTJb6O4Z7eMNRwPlr_51L8tJosX4Mq44ioveAOuQxHW-S03mpi4HyJYuufE9qM6g5SiYPv7omFx

Confirm that the General settings match your DNS entries and certificate names. Make a note with the Federation Service Identifier, since that is used in the iSpring Learn SAML 2.0 configuration settings.

1sY5XuJ0_hrWRWv07Qgv4f6mznJNfcQAYm-QLkN49QtLoExMMAmvhoD3SdVgo9KN9DjG92zjt3vjiWaKVjZxH3pPNHIfLhRBlAQ8HOLMg6l6uG6jN1-dEbjqlaotW1WU_dafDnQP

Step 3. Token-Signing certificate

  1. Browse to the certificates.

  2. Right-click on the certificate and sel ect View Certificate.

  3. Go to the Details tab.

  4. Find the Thumbprint field and copy the contents of this field to the Windows clipboard.

RWYwuaq5guXjKsQRWl50CwbHAbzlSJh2QVh-T9xA5xKBVihAiVxMs3YCTJ_xcGv7XzqWnqLGXOkponiAJjjcXb_IIUFKbmBoTbW1X2ZCP2fF3N1P2fWAgSsLlbNar3IsvGYOsqEe

Step 4. Learn Settings

  1. Log in into your iSpring Learn account and go to the SSO settings via this link: https://YourAccоuntURL.ispringlearn.com/settings/sso

  2. Ins ert your Thumbprint into the Certificate Fingerprint field and remove all spaces between characters.

  3. Enter your data to the Metadata URLSign ON URL and Logout URL fields.

SAML01.png

Step 5. ADFS Relying Party Configuration

Go to the ADFS Management console and select Relying Party Trusts, right-click on it and select Add Relying Party Trust…

DWe2TCjpUD-9mwb9YE-Yi_3VQvvLo6w5S4K9Tqo5iu3ytTrfMkakrv2THOkYo9HFrYZJMUyGxQCOOha-7EbJ_m01BApEktCKSvK8qKblvO3YjO_rn0xJkqEARD3Ejm6wUJq5f9wG

Select Next On the Welcome Screen of the wizard, and on the Select Data Source step, select the last option: Enter data about the relying party manually.

FedR8yJMFy79Wm7ZOapfx8-RgWO8Syz-VFPk5VezbDvw_urdX2UCWCFEakA7sMeQsRcVARsoJKANp8gKd0W4xFGCV1spuY-WMwoPl2-cWUVJu4ZK0laxej3G87m7a6ZFJumLTd6B

On the next screen, enter a Display name that you will recognize in the future.

gHTy1NaSaFcC9tAVCwq4nrI2YFD9YJQ8j_BVccexWw2E6wWMG9kkBI4su3Mf_kGmhhPf5lkCm-8p5W6i-L6119hROkAYqN6VzBELMM7SnVLx7f6VL_rf-Ew73Jrxr0ZGvy5V9bXa

Next, select AD FS profile:

phGZye3RG4RuFv7kujBnkKtD75sg-YOU4hPlQHv--3weu7qnzB2QgwYSJ5a0vEWititNIzz_WbNDbojReboku0G12BXh4ZTJjl2w2hq2jNxipm6M6DCDVmI31FRvbEYr4IVMLR1v

Leave the default values:

E2twaBJWzoKspzzxkn-26XSsvalo8wAL3ayJYM3fVtszGyegf2o4-729bwV7jzammYv6Az1Ew2Mj--G3Kw4NZo0OkMXGD_OIpz2SfPgeRvb1axp1g81p48cGyUrMjxYJAye53kJ8

On the next screen, check the box labeled: Enable support for the SAML 2.0 WebSSO protocol. The service URL will be: https://YourAccоuntURL.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp

eJxJWt1KAQ5E7ldDZmtzrdiFB4icMGUHoVL5pDbAwO98o8CgHPIBOF73CHPQ6H1Cm7HuPbN4z-ZLf3Qt_ygNTiEvKumyN2JzJ023bHvXOfQFhapElpWZ0m7-Az1uVxsUtVAr6xNP

Click Next. Add Relying party trust identifier:  https://YourAccоuntURL.ispringlearn.com/module.php/saml/sp/metadata.php/default-sp

X1S7UllJ3QhuitOZkPPDzm9GvR_oh0MZafS1VP4cMpGRNfmg8TVDzDePguMRDbQ61VwLaHMK6B2UuYIX_s4xln0Yh756RcU8-x86y9ADBVkNqQdMyuUJPGG2Wo6VvSvgvVLOeGuV

Choose Permit all users to access this relying party.

_Dgqb5gnSjLRvtQKuIQ38K9wkVb97WYKFZXIiQb6OFAzlChmaFRNlH5H3J-YNS5h8j8it6BHfHADt88WfhCoUS3Keoz7lF0yxle5Q5eLgrZiW-zIn44xTj8Bq91ZqZCbZRet3fmw

On the next step, just click Next.

AX0Y9Y9a0Al-EQAgUkmNTSC-tTxJXVe0K1G2fBf9_ZofD5PPBD9wltrEo1A6Av-SvpJwQ_bUibkawPZSjL-YMmJcr99dAafyLG5mzpjLHLf8aM8wSx2kIy-fgsjmaa9FXPJo3pji

On the final screen, check the box Open the Edit Claim Rules dialog and use the Close button to exit.

ZS3_FXPmR5XFVIL4PE_wc5XczVkdUAtV17oG6Ed3qghwAdibKNFwmA8pISzu0ZUDoEvST2PA4NDgK_wLCb_T0fAe9ljGu7371dU6pl98sPStlZ8XXfB7cH1rH_1hY8w__O2lR6s1

Step 6. Creating Claims Rules

  1. Add the first rule

    ZUjVMXbGp0OoUkrJbpP90Tbgdx0vhmO6okP5lNz5kHXPxFqZ8zXCP22BK-mP0oYJKT3e0q4T1Al7pVMXfVh0yWS4JjLAxPNtZTBPvFl0ehW3i_Rp5s3unX6l1FgmhHdIXBtLRp-t

  2. Select Send LDAP Attributes as Claims

    PfGJ2OSpACIm1nBtinVxH-hRr2IX7JsiG8V0wOASvZzD_5ohgTa5uQk3jFRwr9V8KcsIBSwBpNGBniGTAZppjLKzdoeX9TfiI-1EsSh1Od-J0GQJZ16GS_wdTNtNxmN9guIpXqFX

  3. On the next screen, specify your Claim Rule, for Example E-mail to Learn, using Active Directory as your attribute store, and do the following:

    • Fr om the LDAP Attribute column, select E-Mail Addresses

    • Fr om the Outgoing Claim Type, enter “email

      cbshGH1pmCu-u_um9H9JSU9MicGTn1jaoESRcZbqGhYy_wDAWT5TLi-7xjBvnhtoZx7NVxYAiKfRP75JDHqsvbz14xdlMOY-lKqJjFPAunIzvprsw_CKyYmx0Xl4r15ybkBcqS8C

    • Click on Finish or OK to save the new rule

  4. After that, add the second rule and select Transform an Incoming Claim as the template

    Vldhqs282322jhhTUzugw7MZQzkKPrypE-UkoNmWx-D0X3cnlLQS2M6KVa82ORZ8ZFkPR9MjRRSmOUplUmKUoH7LFghGgLxAdzi0R3dibaaLAqKPHMktsl0mag69UfHzr7UoGN40

    • Give your Claim Rule a title, for example, Transform Account Name

    • Select Windows account name as the Incoming Claim Type

    • Under Outgoing Claim Type, select Name ID

    • Under Outgoing Name ID Format, select Transient Identifier

    • Leave the default rule Pass through all claim values
      J22FEWcG11f_f7Wta7PB0GepLEwafkUvUNuori6HE5SqEZqqiNS0HuTJ56PUaV-WiSsyUVHVAPops4QYROwUdRdl-cRofcp5sJByXNGIzySzB8Gx8ExjE_LGBZ9A-ZGEUr24XeBJ

  5. Finally, click on OK to create the claim rule, and then OK again to finish creating rules.

Step 7. Adjusting the Trust Settings

Some settings on your Relying Party Trust will need to be adjusted. To access these settings, select Properties from the Actions sidebar on the right while you have the Relying Party Trust selected.

Step 8. Logging

Go to your SSO login page: https://YourAccоuntURL.ispringlearn.com/sso/login and enter your credentials.

Related Articles

No comments to display

Back to top