Incoming SAML 2.0 Single Sign-On with ADFS

Follow

Introduction

The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses Incoming SAML 2.0 SSO for clients using Active Directory Federation Services (ADFS) and presents a somewhat abridged and focused version of our full Incoming SAML 2.0 Single Sign-On article. For the purposes of this article the Absorb system will act as the Service provider (SP). Your ADFS system will act as the Identity Provider (IdP). 

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although ADFS is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your particular ADFS environment. This guide is provided to our clients as a convenience only, based on our past experience working with clients who employ ADFS. 

Table of Contents:

Instructions:

Absorb Setup

This section will walk through how you would configure your Absorb LMS. Once ADFS is set up in your company account, a System Admin will need to log into the LMS and complete the setup.

From Portal Settings, there is a button in the right-side context menu labeled Manage SSO Settings. If you cannot see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.


Setting_up_SAML_in_Absorb.gif

Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one. 

Each route (Portal URL, e.g. company.myabsorb.com) can have its own set of SSO configurations. Please see this article for more information on route-based SSO. The remainder of this article assumes we're talking about a single SSO configuration.

Managing SSO Setting Variables 

The following variables will need to be determined and configured as part of your SSO implementation. 

Variables

Description

Requirement

Name

Enter a value to identify this SSO configuration. This field is for your reference only.

Mandatory

Method

Select SAML.

Mandatory

Key

The key is the x509 public certificate of the IdP that is used for the SAML assertion signature. You must configure Absorb with your IdP’s public key so that Absorb can verify your signed SAML assertions.

Mandatory

Mode

Choose the request mode to be used, from either Service Provider Initiated or Identity Provider Initiated.
We recommend selecting Service Provider Initiated when possible. This has two key benefits:

  • LMS deep links will function as expected
  • SSO can be used to access the mobile app

Mandatory

ID Property (Unique Identifier)

A unique identifier field is chosen in the Absorb LMS to be used as the identifying NameID through the SAML assertion. Absorb can be configured to use the following as the Id Property:

  • Id (Randomly generated identifier in Absorb database)
  • Username
  • Email Address
  • External Id
  • Employee Number

Mandatory

Signature Type

Select the correct option for your configuration.

Mandatory

Login URL

  • Service Provider Initiated Mode: This is the endpoint where Absorb will send a SAML request.
  • Identity Provider Initiated Mode: This is the URL where Absorb redirects users if they navigate directly to the selected Route(s) without an active session. This redirect is only triggered when the Automatically Redirect feature is turned on.

• Mandatory for SP-initiated

• Mandatory for IDP-initiated with Automatically Redirect ON

• Optional for IDP-initiated with Automatically Redirect OFF

Logout URL

This is the URL where Absorb redirects users when they log out of the Absorb system.

Optional

Single Logout

Enables the single sign-out endpoint. This will attempt to sign the learner out of the identity provider when they log out of the LMS. If this is on, the Logout URL set above will be ignored.

Optional

External Single Logout URL

The external SLO endpoint to direct single log-out requests to.

Optional

Wait for IDP Response

Forces Absorb to wait for a response from the identity provider before logging out of Absorb.

Optional

Enforce Admin Side SSO

Enforces SSO Redirection on the Admin login page.

Optional

Automatically Redirect

This setting only displays when Identity Provider Initiated Mode is selected. When turned on, this will redirect all users who navigate directly to the selected Route(s) to the Login URL. If not turned on, users will land on the portal's landing page.
Note: When Service Provider Initiated Mode is selected, this setting is hidden. All unauthenticated users who navigate to the selected Route or Routes will be authenticated through SSO.

Optional

Assigned Routes

Use this field to search for and select a Route or Routes to assign to this SSO configuration. A Route must be selected in order for SSO authentication to be successful. This Route will be referenced in the settings you configure in your Identity Provider.

Mandatory

Allow User Provisioning

This setting determines whether User Provisioning is enabled. To successfully create users via this method, the required values must be sent in the Attribute Statement. For further details, see our article on user provisioning: Incoming SAML 2.0 SSO Account Provisioning 

Optional

 

ADFS Setup

Login URL

From the ADFS Management application, right-click on Service from the left tree-view and click on Edit Federation Service Properties. This is where you can find your Federation Service Name, from which you can determine the Login URL value to enter into the Absorb SSO Settings. The Login URL is determined based on which mode you are using: Service Provider Initiated or Identity Provider Initiated. Service Provider Initiated Mode is recommended.

Service Provider Initiated Mode

Take your Federation Service Name and add “/adfs/ls/” to the end.

So for example if your Federation Service Name is https://adfs.company.com the Login URL to enter into Absorb will be https://adfs.company.com/adfs/ls/

Identity Provider Initiated Mode

Take your Federation Service Name and add “/adfs/ls/IdpInitiatedSignOn.aspx” to the end.

So for example if your Federation Service Name is https://adfs.company.com the Login URL to enter into Absorb will be https://adfs.company.com/adfs/ls/IdpInitiatedSignOn.aspx

If you have multiple sites setup on your ADFS then you can bypass site selection by adding “?loginToRp=https://subdomain.myabsorb.com” to the end of the URL.

So continuing the prior example, your Login URL would be https://adfs.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://company.myabsorb.com

Key / X509 Certificate

  1. Go to Certificates entry on the left tree view, right-click on Token-Signing certificate then click on View Certificate.

  2. On certificate details tab click on copy to file, then the certificate Export wizard launches.

  3. Click on next, select “Base-64 encoded X.509 (.CER)” format and save the certificate.

  4. Copy the certificate using a text editor or similar and enter it into the Key field in Absorb (see Managing SSO Settings section above).

ADFS_Certificate.png

Note: The Login URL and X509 Certificate (key) can also be retrieved from a SAML metadata file exported from ADFS.

 

Relying Party Trust

The connection between Absorb and ADFS is defined using Relying Party Trust. The steps below can be followed to set this up manually, or you can try importing our SP Metadata. This article has our metadata, which can also be downloaded at the bottom of the page.

Note: updates will need to be made related to your particular LMS URL prior to using the metadata.

To manually configure the Relying Party Trust:

  1. Select the Relying Party Trusts folder from ADFS Management, and add a new Standard Relying Party Trust from the Actions sidebar. On the Select Data Source screen, select the last option, Enter Data about the Party Manually.
  2. On the Specify Display Name screen enter a Display Name to identify this SSO setup.
  3. Skip the Configure Certificate screen by clicking Next.
  4. On the Configure URL screen check the box labeled Enable Support for the SAML 2.0 Web SSO protocol. Set the service URL as https://PortalURL/api/rest/v2/authentication/saml.
  5. Under Configure Identifiers, enter the LMS URL as the Relying Party Trust Identifier.

    Relying_Trust_Modal.png
  6. On Choose Issuance Authorization Rules, select the Permit all users to access this relying party radio button.
  7. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit.
  8. Right-click on the relying party you’ve just created and select Properties. In the Advanced tab ensure SHA-1 is selected for the secure hash algorithm.

Claim Rules

Once the relying party trust has been created, you can create the claim rules.
 
  1. Select “Send LDAP Attribute as Claims” as the rule template, next, then select “Active Directory” as Attribute store. Configure “E-Mail-Addresses” to map to Outgoing claim type “E-Mail Address”. This assumes you are using Email Address as the Absorb "Id Property" (Name ID), and will need to be adjusted if using some other field.

  2. Select “Transform an Incoming Claim” as the rule template. Configure Claim rule name “Email to Name ID” or similar, Incoming claim type: “E-Mail Address”, Outgoing claim type: “NameID”, outgoing name ID format: “Unspecified”. Again, this assumes you are using Email Address as the Name ID - adjust the Incoming claim type as appropriate if not.
      
 

IdP Metadata

You may have already exported the certificate manually in the ADFS Setup section above, but your IdP Metadata can also be used to obtain your public X509 certificate. The X509 certificate should be added to the Key field under Portal Settings in Absorb.

Troubleshooting

If errors are encountered, please refer to our SSO Troubleshooting guide.

 

Jump back to top.

Published on
Have more questions? Submit a request

0 Comments

Article is closed for comments.