To configure Altamira HRM for Single Sign-On with Microsoft Windows Active Directory Federation Services (ADFS), follow the steps below.

1. Create your custom domain

See Configuring a custom domain.

2. Get your ADFS metadata XML file

On your ADFS server, open AD FS Management and navigate to AD FS\Service\Endpoint. Scroll to the Metadata section, note the URL for the Metadata type and append it to your ADFS server's public endpoint. The URL should be in the form: https://sts.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml

Open the URL in your browser and save the XML file to local storage.

3. Upload the ADFS metadata to Altamira

• From the Setup app, General section, click Custom Domains and click on the domain you wish to configure
• In the Single Sign On tab, click Choose file and select the ADFS metadata XML file from local storage
• Click Save

4. Download the Altamira HRM metadata file for your domain

• From the Setup app, General section, click Custom Domains and click on the domain you configured
• Click Actions → Download SSO metadata and save the file to local storage

5. Create a new ADFS Relying Party Trust

On your ADFS server, open AD FS Management:

• Navigate to AD FS\Relying party trusts
• Click Add Relying party trust
• Select Claims aware and click Start
• Select Import data about the relying party from a file, click Browse, select the Altamira metadata file and click Next
• Enter a display name, usually Altamira HRM, and click Next
• If required, configure access control policies and click Next
• Review the settings and click Next
• Ensure Configure claims issuance policy for this application is checked and click Close

Now configure the ADFS claims to be sent to Altamira HRM:

• In Edit claims issuance policy, click Add Rule
• Select Send LDAP attributes as claims and click Next
• In the Claim Rule text box, type Altamira Claims
• From Attribute store select Active Directory
• In the LDAP attribute mapping:
  • For the username → LDAP Attribute: User-Principal-Name. Outgoing claim type: Name ID
  • If you are synchronizing groups → LDAP Attribute: Token-Groups as SIDs. Outgoing claim type: Group

6. Test your implementation

For the test you will need to have either enabled self provisioning or created a user with a matching username in both Active Directory and Altamira HRM.

For service provider initiated login:

• In a private browser session, navigate to your custom domain URL. You will be redirected to the ADFS login page: enter your credentials and sign in. You will be redirected to Altamira HRM where you will be authenticated based on the SAML response.

For identity provider initiated login:

• In a private browser session, navigate to https://youradfsendpoint.com/adfs/ls/idpinitiatedsignon.htm. Enter your credentials and select Altamira HRM from the list of applications. You will be redirected to Altamira HRM where you will be authenticated based on the SAML response.

7. Troubleshooting

In an SP-initiated login, if ADFS reports an error you can view diagnostic information in the Windows Event Viewer under the AD FS\Admin log. If there is an error processing the SAML response, Altamira will show minimal diagnostic information at the browser login prompt; more detailed information is available in the Altamira event log, accessible from the Reports section.