Single sign on with Microsoft Windows Active Directory Federeation Services (ADFS)
To configure Altamira HRM for single sign on with Microsoft Windows Active Directory Federeation Services (ADFS) do the following:
1. Claim your custom domain name
See Claiming your custom domain name
2. Get your ADFS metadata XML file
On your ADFS server open AD FS Management, open the nodes AD FS\Service\Endpoint. Scoll to the Metadata section, note the URL for the Metadata type and concatenate it with you ADFS server's public endpoint. The URL should be in the form https://sts.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
Open the URL in your browser and save the XML file to local storage.
3. Upload the ADFS metadata to Altamira
- click Setup\Account\Custom domains and click on the custom domain you wish to map claims for
- in the Single Sign on tab, in the Configure from identity provider metadata file click on Choose file and select the ADFS metadata XML from local storage
- click Save
4. Download the Altamira HRM metadata file for your domain
- click Setup\Account\Custom domains and click on the custom domain you wish to map claims for
- click Actions\Download SSO metedata and save the fiel to local storage
5. Create a new ADFS Relying party trust
On your ADFS server open AD FS Management:
- open the nodes AD FS\Relying party trusts
- click on Add Relying party trust
- select Claims aware and click Start
- select Import data about the relying party from a file, select Browse and select the Altamira metadata file and click Next
- enter a display name, usually Altamira HRM and click Next
- if required, configure access control policies and click Next
- review settings and click Next
- ensure Configure claims issuance policy for this application is checked and click Close
Now configure ADFS claims to be sent to Altamira HRM:
- in the Edit claims issuance policy, click on Add Rule
- select Send LDAP attributes as claims and click on Next
- in the Claim Rule text box, type Altamira Claims
- form the Attribute store select Active Driectory
- in the Mapping of LDAP attributes:
- for the username -> LDAP Attribute: User-Principal-Name. Outgoing claim type: Name ID
- if you are synchronizing groups -> LDAP Attribute: Token-Groups as SIDs. Outgoing claim type: Group
5. Test your implementation
For the test youo will need to have either enabled self provisioning or created a user with a matching user name in both Active Direcotry and Altamira.
For service provider initiated login:
- in a private browser session, navigate to your custom domain URL. You will be redirected to the ADFS login page: enter your credentials and sign in. You will be redirected to Altamira HRM where you will be authenticated based on the SAML reponse
For identity provider initiated sign in
- in a private browser session, navigate to https://youradfsendpoint.com/adfs/ls/idpinitiatedsignon.htm. Enter your credentials and then select Altamira HRM from the list of applications. You will be redirected to Altamira HRM where you will be authenticated based on the SAML reponse
6. Troubleshooting
In an SP initiated login, if ADFS reports an error you can view diagnostic information in the using the Windows Event viewer in the AD FS\Admin log. If there is an error processing the SAML response, Altamira will give minimal diagnostic information at the browser login prompt; you will find more detailed information in the Altamira event log available in the Reports section.
Comments
0 comments
Please sign in to leave a comment.