Configuring ADFS

The following outlines the configuration required in Active Directory Federation Services (ADFS) to enable Single Sign-On (SSO).

Table of Contents

Table of Contents
#1.-adfs-configuration
#2.-claim-issuance-policy
#3.-cinchy-configuration

1. ADFS Configuration

1. On your ADFS Server, Open AD FS Management.

2. Right-click on Relying Party Trusts and select Add Relying Party Trust to launch the Add Relying Party Trust Wizard (Image 1).

Image 1: Add Relying Party Trust Wizard

3. In the ADFS Wizard, select Claims Aware > Start > Select Data Source

4. Select Enter Data About the Relying Part Manually > Next

5. Under Specify Display Name, enter a Display Name of your choice

6. Under Configure Certificates, do not choose any certificates

7. Under Configure URL, Select Enable support for the SAML 2.0 SSO Web SSO protocol.

8. Enter your Login URL in the below format:

https://<cinchy-sso-URL>/Saml2/Acs

9. Under Configure Identifiers, choose an Identifier

10. Select Next until the process finishes.

2. Claim Issuance Policy

1. To begin configuring you Claim Issuance policy, Right-click on the Relying Party Trust you just created (look for the Display Name) and click Edit Claim Issuance Policy.

2. Click on Add Rule > Claim Rule > Send LDAP Attributes as Claims.

3. Add your Claim Rule Name

4. Under Attribute Store, choose Active Directory. Map the LDAP attribute to the following outgoing claim types:

LDAP Attribute	Outgoing Claim Type	Comments
User-Principal-Name	Name ID
SAM-Account-Name	sub	subwill need to be typed manually, make sure it does not autocomplete to something else like subject.
Given-Name	Given Name	Necessary for Automatic User Creation
Surname	Surname	Necessary for Automatic User Creation
E-Mail-Address	E-Mail Address	Necessary for Automatic User Creation
Is-Member-Of-DL	Role	Necessary for Automatic User Creation

Image 2: Add Transform Claim Rule Wizard

4. Click Finish.

5. Click on Edit Rule.

6. Click on View Rule Language and copy out the Claim URLs for the claims defined. This information will be needed in a later step to configure your Cinchy appsettings.json. This will look something like this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
  => issue(store = "Active Directory",
           types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
                    "sub",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
                    "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
           query = ";userPrincipalName,sAMAccountName,givenName,sn,mail,memberOf;{0}",
           param = c.Value);

7. Click OK to save the rule.

8. Right-click on Relying Party Trust > Properties.

9. Go to the Advanced tab and set the secure hash algorithm to SHA-256 (Image 3).

Image 3: Set the secure hash algorithm to SHA-256

3. Cinchy Configuration

Everything below is case sensitive and must match whatever is specified in your SAML IdP configuration.

1. Open https://<your.AD.server>/FederationMetadata/2007-06/FederationMetadata.xml in a browser and save the XML file in the cinchysso folder.

2. Open IIS Manager and create an HTTPS binding on the Cinchy site (if necessary).

3. Go to sso site and bind HTTPS with it. Make sure to use the same port as the login URL above if specified.

Cinchy appsettings.json

AppSettings Section

Attribute	Value
CinchyLoginRedirectUri	https://<cinchy-sso-URL>/Account/LoginRedirect
CinchyPostLogoutRedirectUri	https://<Cinchy-Web-URL>
CertificatePath	<Path to cinchysso>\\cinchyidentitysrv.pfx
SAMLClientEntityId	Relying party identifier from Relying Party Trust above
SAMLIDPEntityId	http://<AD-Server>/adfs/services/trust Your FederationMetadata.xml will have this near the beginning. Note that this is the entityID, not the ID.
SAMLMetadataXmlPath	<Path to cinchysso>\\FederationMetadata.xml This is the location where you placed the FederationMetadata.xml in step 1.
SAMLSSOServiceURL	This value can be found in the Location attribute from the FederationMetaData.xml file, and is also the same Login URL that you input in Section 1, Step 8 of this guide. It is formatted as follows: https://<AD-Server>/Saml2/Acs Example: https://<cinchy-sso-URL>/Saml2/Acs
AcsURLModule	/Saml2
MaxRequestHeadersTotalSize	Integer Bytes to set the max request header to. If the default (likely 32kb) does not work, you may have to set this larger to accommodate a large number of groups.
MaxRequestBufferSize	Integer This should be equal or larger than your header's total size above.
MaxRequestBodySize	Integer If any of these values are -1 they will use the default. It is not necessary to change the body size.

External Identity Claim Section

You will need the Rule Language URLs you copied out from the ADFS Configuration above. Using the same example as above, we would get the following (replace with your own URLs).

{
  "AppSettings": {
    ...
    },
  "ExternalIdentityClaimSection": {
    "FirstName": {
      "ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    },
    "LastName": {
      "ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    },
    "Email": {
      "ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    },
    "MemberOf": {
      "ExternalClaimName": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
    }
  }
}

Web.config

Add the 3 following lines to your web.config within the appSettings section:

<appSettings>
  ...
  <add key="UseHttps" value="true" />
  <add key="StsAuthorityUri" value="https://<your.cinchy.url>" />
  <add key="StsRedirectUri" value="https://<your.cinchysso.url>/Account/LoginRedirect" />
  ...
</appSettings>