In this article, we will cover how to integrate Safelink with ADFS for single sign-on. The information below is intended for IT professionals.
We will cover:
If you are experiencing any trouble with your SSO please contact your IT department or Safelink Support. Safelink also supports Single Sign-on: Integration with Azure AD for Safelink,
Requirements
- Active Directory Federation Services (ADFS) version 2.0 or above must be installed on your network. This is where we will redirect your users in order to authenticate them as part as part of an SSO login, and the ADFS server will contact your Active Directory server to check the credentials.
- On Windows Server 2008 R2, the latest version of ADFS you can install is version 2.0. It is not included within the normal installation of Windows Server 2008 R2, but is available as a free add-on from Microsoft at the following URL: http://www.microsoft.com/en-ca/download/details.aspx?id=10909
- On Windows Server 2012 R2, use ADFS 3.0. 2.
- Your ADFS instance must be externally accessible, using HTTPS on its own domain name, and with its own SSL/TLS certificate, in order to allow your users to authenticate from outside your firewall. This is not the same certificate that would be used by the ADFS server for signing the security tokens that it issues.
Setting up Safelink as a Relying Party
To allow Safelink to authenticate against your ADFS server, you need to create a “Relying Trust” in ADFS, within which you will need to define a number of specific claims. Instructions for doing so are shown below. Before that will work, we need to apply a matching configuration on our side.
Information you need to provide to us
Please send the following information to support@safelinkhub.com:
-
Single Sign-On URL
-
eg. "https://sso.yourdomain.com/adfs/ls”
-
For ADFS 2.0 and 3.0, this can be found in the ADFS Management Console under [Service] > [Endpoints] > [The URL of the endpoint with type "SAML 2.0/WS-Federation”]
-
-
Single Logout Service URL
-
eg. "https://sso.yourdomain.com/adfs/ls/?wa=wsignout1.0”
-
This is normally derived from the SSO URL, but if you’ve overridden this, please provide the updated value.
-
-
Entity ID (of the ADFS deployment)
-
eg. "http://sso.yourdomain.com/adfs/services/trust”
-
For ADFS 2.0 and 3.0, this can be found in the ADFS Management Console under [Service] > [Edit Federation Service Properties] > [General Tab] > [Federation Service Identifier field]
-
-
The SHA1 fingerprint of the X509 token signing certificate for the ADFS instance
-
eg. “90 C3 16 F0 8D …”
-
For ADFS 2.0 and 3.0, this can be found in the ADFS Management Console under [AD FS] > [Service] > [Certificates] > [Token-signing] > [View Certificate] > [Details Tab] > [The value of the field named Thumbprint]
-
-
Email domain name(s) for users who will be allowed to authenticate through this setup.
-
eg. "yourdomain.com"
-
Information you will need
Note that in each case below, clientname must be replaced with the client name given to you by us, and safelinkhostname must be replaced with the fully qualified internet domain name of your Safelink deployment, which might be at a shared or a custom domain.
-
ACS URL (aka. “Relying Party SAML 2.0 SSO Service URL”):
https://safelinkhostname/auth/saml/clientname/callback
-
Logout URL:
https://safelinkhostname/auth/saml/clientname/slo
Example: https://app.safelinkhub.com/auth/saml/clientname/slo
- Entity ID (aka. "issuer")
safelinkhub.com
Setting up the Relying Party Trust for Safelink in ADFS 2.0
-
Goto [ADFS 2.0 manager] > [Trust Relationships] > [Relying Party Trusts] > [Add Relying Party Trust]
-
Data source: Choose to enter data about the relying party manually
-
Display name: Choose a suitable display name, eg. Safelink Data Rooms
-
Profile: Choose the AD FS 2.0 profile
-
Certificate: Press Next to continue (the claims are encrypted using HTTPS so tokens do not need to be separately encrypted)
-
Configure URL: Choose to “Enable Support for the SAML 2.0 WebSSO Protocol”, and enter the ACS URL supplied above
-
Identifiers: Add the entity ID supplied above (“safelinkdatarooms.com”)
-
Issuance Authorization Rules: Permit all users to access this relying party
-
Ready to Add Trust: Press Next to continue.
-
Finish the setup to create the new Relying Party Trust.
Setting up the Relying Party Trust for Safelink in ADFS 3.0
-
Goto [AD FS] > [Trust Relationships] > [Relying Party Trusts] > [Add Relying Party Trust]
-
Data source: Choose to enter data about the relying party manually
-
Display name: Choose a suitable display name, eg. Safelink Data Rooms
-
Profile: Choose the AD FS profile
-
Certificate: Press Next to continue (the claims are encrypted using HTTPS so tokens do not need to be separately encrypted)
-
Configure URL: Choose to “Enable Support for the SAML 2.0 WebSSO Protocol”, and enter the ACS URL supplied above
-
Identifiers: Add the entity ID supplied above (“safelinkdatarooms.com”)
-
Multi-factor Authentication: Choose “I do not want to configure multi-factor authentication settings for this relying party trust at this time”.
-
Issuance Authorization Rules: Permit all users to access this relying party
-
Ready to Add Trust: Press Next to continue.
-
On the Finish screen, finish creating the Relying Party Trust, and do not choose to “Open the Edit Claim Rules dialog”.
-
Open the Properties dialog for the new Relying Party Trust, under [AD FS] > [Trust Relationships] > [Relying Party Trusts] > [Safelink Data Rooms] > [Properties].
-
Under the [Endpoints] tab, click [Add SAML]
-
Add an endpoint of type “SAML Logout”, with binding “POST”, and for the Trusted URL, enter the Single Logout Service URL you provided to us earlier, eg. https://sso.yourdomain.com/adfs/ls/?wa=wsignout1.0
-
Under the [Advanced] tab, ensure that the “Secure Hash Algorithm” is chosen to be “SHA-256”.
Add claims for the new Relying Trust in ADFS 2.0
-
Open the claim rules editor (if not already opened from the previous step)
-
On the Issuance Transform Rules tab, choose to Add a Rule, and choose “Send LDAP Attributes as Claims". Name the rule “User Attributes”, or similar; use Active Directory as the Attribute Store, and add four mappings: "E-Mail-Addresses” as outgoing claim type “email” (type this, rather than choose it from the drop-down box); “Given-Name” as “first_name”, “Surname” as “last_name”, “Title” as “title".
-
On the Issuance Transform Rules tab, choose to Add a Rule, and choose “Send Claims using a Custom Rule”. Name the rule “User Secret”, or similar; the rule value should be [ => issue(Type = “user_secret”, Value = “a_secret_value”); ], without the square brackets. Replace a_secret_value with some other secret token known only to yourselves, and make a record of what you chose. The value you choose here is used as input to our encryption key generation routines and improves the security of your data. You may wish to write a more elaborate user-specific rule here (or refer to a field from AD or an SQL server). The value returned here must remain unchanged, for all users.
-
On the Issuance Transform Rules tab, choose to Add a Rule, and choose “Transform an Incoming Claim”. Name the rule “Generate NameID”, or similar. The “Incoming Claim Type” should be “email”; “Outgoing Claim Type” should be “Name ID”, Outgoing name ID format should be “Persistent Identifier”. Choose to “Pass through all claim values”.
Add claims for the new Relying Trust in ADFS 3.0
-
Open the Claim Rules Editor the new Relying Party Trust, under [AD FS] > [Trust Relationships] > [Relying Party Trusts] > [Safelink Data Rooms] > [Edit Claim Rules]
-
On the Issuance Transform Rules tab, choose to Add a Rule, and choose “Send LDAP Attributes as Claims". Name the rule “User Attributes”, or similar; use Active Directory as the Attribute Store, and add four mappings: "E-Mail-Addresses” as outgoing claim type “email” (type this, rather than choose it from the drop-down box); “Given-Name” as “first_name”, “Surname” as “last_name”, “Title” as “title".
-
On the Issuance Transform Rules tab, choose to Add a Rule, and choose “Send Claims using a Custom Rule”. Name the rule “User Secret”, or similar; the rule value should be [ => issue(Type = “user_secret”, Value = “a_secret_value”); ], without the square brackets. Replace a_secret_value with some other secret token known only to yourselves, and make a record of what you chose. The value you choose here is used as input to our encryption key generation routines and improves the security of your data. You may wish to write a more elaborate user-specific rule here (or refer to a field from AD or an SQL server). The value returned here must remain unchanged, for all users.
-
On the Issuance Transform Rules tab, choose to Add a Rule, and choose “Transform an Incoming Claim”. Name the rule “Generate NameID”, or similar. The “Incoming Claim Type” should be “email”; “Outgoing Claim Type” should be “Name ID”, Outgoing name ID format should be “Persistent Identifier”. Choose to “Pass through all claim values”.