Setting up SSO with Microsoft ADFS

Validaide supports Single Sign-On (SSO) with Microsoft Active Directory Federation Services (ADFS). Setting up SSO with ADFS in Validaide is 'self-service' meaning that an Administrator can configure SSO using ADFS themselves in the 'Administration' section of Validaide.

Please note the following:

- In order to set up SSO using ADFS, you will need to add Validaide as an application to your ADFS. If you do not have access to ADFS yourself, you will need to reach out to your IT department and ask them for support. You can provide the URL of this article to them for assistance, as it contains the Realm Identifier and Endpoint URI that they will require.

- Once you enable SSO, all users of your company can no longer log in using their original Validaide credentials. If somehow the SSO setup is incorrect, your users will not be able to log in to Validaide and you yourself might lose access as well. If this happens, you can reach out to support@validaide.com so we can help troubleshoot the problem or disable SSO for you.

Technical Implementation

Validaide uses a 3rd party service called Auth0 for authenticating users in Validaide and the SSO implementation of Validaide is built around Auth0's concept of 'Enterprise Connections'. More information about Auth0 ADFS Enterprise Connections can be found here.

Process

The process to configure SSO using ADFS consists of the following steps:

1. ADFS: Add a Relying Party Trust
2. ADFS: Add a Calim Issuance Policy Rule
3. Validaide: Enable SSO with ADFS
4. Validaide: Test SSO

In order for the SSO integration to be established, at the end of this step the following information is required:

• Domain
  (the domain of your company e.g. 'acme.com')
• Federation Metadata URL
  (the url to your federation XML file e.g. 'https://auth.acme.com/FederationMetadata/2007-06/FederationMetadata.xml')
• (optional) Identity Provider Domains
  (a comma-separated list of domains, e.g. 'acme2.com,new-acme.com')

As input, you will need to use the following information from the Validaide application:

• Realm Identifier: urn:auth0:validaide
• Endpoint URI: https://validaide.eu.auth0.com/login/callback

Step 1: ADFS: Add a Relying Party Trust
 

1. Open the ADFS Management Console.
2. On the right side of the console, click Add Relying Party Trust*
3. Click Start.
4. Select Enter data about the relying party manually, and click Next.
5. Type a name (such as Validaide), and click Next.
6. Use the default (ADFS 2.0 profile), and click Next.
7. Use the default (no encryption certificate), and click Next.
8. Check Enable support for the WS-Federation..., and fill in the Endpoint URI
9. Click Next.
10. Add a Relying Party Trust identifier with the Realm Identifier
11. Click Add, and then Next.
12. Leave the default Permit all users..., and click Next.
13. Click Next, and then Close.

Step 2: ADFS: Add a Claim Issuance Policy Rule

• For Windows Server 2019, the Edit Claim Issuance Policy dialog box automatically opens when you finish the Add Relying Party Trust wizard.
• In the Edit Claim Issuance Policy Window, under Issuance Transform Rules, click Add Rule....
• Leave the default Send LDAP Attributes as Claims.
• Give the rule a name that describes what it does.
• Under Attribute Store, select Active Directory.

• Select these mappings under Mapping of LDAP attributes to outgoing claim types, and click Finish.

  LDAP Attribute	Outgoing Claim Type
  E-Mail-Addresses	E-mail Address
  Display-Name	Name
  User-Principal-Name	Name ID
  Given-Name	Given Name
  Surname	Surname

Step 3: Validaide: Enable SSO with ADFS

1. Log in to Validaide on https://app.validaide.com/login
2. Navigate to the Administration menu using the cog wheel icon in the top menu
3. Click on the 'Single Sign-on (SSO)' menu under 'Tenant Configuration'
   

NOTE: SSO is an enterprise feature, if the menu is not visible, it means the SSO module is not enabled for your company, please contact support@validaide.com for pricing information.

   4. Press the 'Microsoft ADFS' button, a dialog will open called 'Configure Microsoft ADFS'

   5. Fill in the fields as follows:

1. Domain: The primary domain of the ADFS of your organization, e.g. 'acme.com'
2. Url: The URL to the Federation Metadata XML
3. Additional Domains (optional): Here you can fill in any additional domains of your organization

  6. Press the 'Save' button, the SSO setup will be configured

NOTE: It is best to not log out of Validaide until you have confirmed SSO is working!

Step 4: Validaide: Test SSO

A good way to test SSO is to do this using a different browser or a private browser tab. The user enabling SSO should remain logged in so they can disable the SSO if for some reason it is not working. Alternatively, you can go through the process together with a colleague or someone from your IT department.

1. Once SSO is enabled, open a different browser, or if you do not have a different browser, open a 'private browsing' tab, so you do not interrupt your current session and you remain logged in.
2. Navigate to the login page of Validaide at https://app.validaide.com/login
3. Type in your E-mail address: if SSO is configured correctly, Validaide will detect your company's domain and the login screen will change dynamically by removing the password field and telling you 'Single Sign-on is Enabled', as seen below:

  4. Press the 'Log In' button: you should now be redirected to the login of your company, and once you have identified yourself, gain access to Validaide.

NOTE: Users added to ADFS are not automatically created in Validaide. The SSO connection will only become active once the user logs in to Validaide for the first time.

Troubleshooting

It may happen that SSO is not working after you have configured it. If this is the case, the first step is to work with your IT department to determine if the setup was performed correctly and if there are no errors in the ADFS logs.

If you cannot get the SSO to work after debugging, contact support@validaide.com and we will provide assistance.

You can also have a look at the Single Sign On (SSO) FAQ