How do I set up single sign-on with ADFS?

For more information and configuration regarding Single sign-on in Security Center, read this article:
https://support.holmsecurity.com/hc/en-us/articles/360014407379

Requirements

To use ADFS to log in to Holm Security you need:

  • An Active Directory instance where all users have the email address attribute set.
  • A server running Microsoft Server 2019 (it may also work with older versions). This guide uses screenshots from Server 2019.
  • After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article.

  • ADFS needs to use a CA signed certificate for service communication, token-decrypting and token-signing.

You will need the following from Holm Security:

  • Certificate
  • Login URL

Holm Security has to be provided the following:

  • CRT file of the certificate on ADFS server
  • XML file for ADFS (Original: https://<adfs server>/federationMetadata/2007-06/FederationMetadata.xml )

Add Persistent Identifiers

Open AD FS Management go to the Claim Description Folder. On the right side click “Add Claim Description

Add the following:

  • Display name: Persistent identifier
  • Short name: persistent
  • Claim identifier: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • Check the box: Publish this claim description in federation metadata as a claim type that this Federations Service can Accept
  • Check the box: Publish this claim description in federation metadata as a claim type that this Service can send
    Bild1.png

Add Relying Party Trust

  1. Go to the folder “Relying Party Trust”. Click on “Add Relying Party Trusts..” in the right menu
  2. Select “Claims Aware” click in “Start
    Bild2.png
  3. Select “Enter Data about the relying party manually” click on “Next >
    Bild3.png
  4. Enter display name, for example “Holm Security” click on “Next >
    Bild4.png
  5. Click on “Browse…” and browse the certificate you got from Holm Security
    Bild5.png
  6. Click on “View…
    Bild6.png
  7. Click on Install certificate…
    Bild7.png
  8. Select “Local Machine” click on “Next
    Bild8.png
  9. Select “Place all Certificates in the following Store” click on “Browse…
    Bild9.png
  10. Select the “Trusted Root Certification Authorities” click on “OK
    Bild10.png
  11. Click on “Next"
    Bild11.png
  12. Click On “Finish
  13. Click on "Next"Bild12.png

  14. Select “Enable Support for the SAML 2.0 WebSSO Protocol” and enter https://sc.holmsecurity.com/sso/callback
    Bild13.png
  15. Add Relying party trust identifyer: Enter https://sc.holmsecurity.com/sso/metadata and click on Add and then click on “Next >Bild14.png
  16. Select Permit Everyone and click on “Next >
    Bild15.png
  17. Click on “Next >”Bild16.png
  18. Click on “Close”Bild17.png

 

Edit Relying Party Trust

  1. Right click on the Trust you just created and select “Properties
    Bild19.png
  2. Go to Signature and click on “add…” and browse the signature you added when you configured the party trust.
    Bild20.png
  3. Go to Endpoints click on Add SAML…
    1. Select: Enpoint type “SAML Logout”
    2. Select Binging: “Redirect
    3. Trusted URL: “https://sc.holmsecurity.com/sso/logoutBild21.png
  4. Go to Advanced Select Secure Hash Alogirthm: SHA1Bild22.png
  5. Go to Monitoring enter: https://sc.holmsecurity.com/sso/metadata
    Bild23.png
  6. Click On “OK

Edit Claim Issuance Policy

  1. Click on “Edit Claim Issuance Policy” and on the right side click on “Edit Claim Issuance Policy
  2. Click on Add Rule…
    Bild24.png
  3. Select “Send LDAP Attribute as Claims” click on “Next >
    Bild25.png
  4. Configure the Claim Rule with following and press Finish
    1. Write Claim rule name example “LDAP”
    2. Select Attriibute Stores: “Active Directory”
    3. Email (required) Ldap Attribute: “E-Mail: Address” à Outgoing Claim Type: “E-Mail Address”
    4. First name: Ldap Attribute: E-Mail: “Given-Name” à Outgoing Claim Type: “Given Name”
    5. Last name: Ldap Attribute: E-Mail: “Surname” à Outgoing Claim Type: “Surname”
    6. Press OK
      Bild26.png
  5. Add a second rule by clicking on “Add Rule…”Bild27.png
  6. Select “Transform an Incoming Claim” and click on Next >
    Bild28.png
  7. Enter a name and configure the Claim Rule with following and click on Finish
    1. Incoming Claim Type UPN
    2. Outgoing claim Type “Name ID
    3. Outgoing name ID format “Persistent IdentifierBild29.png
  8. Click on “OK”
    Bild30.png

Run Powershell

Run the following three Powershell commands:

  1. Get-AdfsRelyingPartyTrust -Identifier https://sc.holmsecurity.com/sso/metadata | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None

  2. Set-ADFSRelyingPartyTrust -TargetName “Holm Security” -SamlResponseSignature "MessageAndAssertion"
  3. Update-AdfsRelyingPartyTrust -TargetName "Holm Security"

Enable Relay state

  1. In a standard text editor, open the appropriate configuration file:
    • On Microsoft Windows 2008 R2 Server platforms, open the web.config file. This file is typically located at C:\inetpub\adfs\ls\
    • On Microsoft Windows 2012 and later the Microsoft.IdentityServer.Servicehost.exe.config file. This file is typically located at C:\Windows\ADFS\
  2. Add the following entry between<microsoft.identityServer.web> and </microsoft.identityServer.web>:

    <useRelayStateForIdpInitiatedSignOn enabled="true" />

    Bild31.png

  3. Run the following powershell command in powershell: Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true

Optional: RelayState URL

You need to change the beginning and the end. The beginning is the URL to your ADFS and the last one is the end of Your log on page: https://<adfs page> /adfs/ls/idpinitiatedsignon.aspx?Relaystate=RPID=https%3A%2F%2Fsc.holmsecurity.com%2Fsso%2Fmetadata%26RelayState=https%3A%2F%2Fsc.holmsecurity.com%2Fsso%2Flogin%<End of custom login URL>

FAQ

  • If you get the following error: “Signature validation failed. SAML Response rejected”

Check that your certificate are Trusted CA Signed SSL Certificate in AD FS Management and in the Certificate folder.

Bild32.png

  • If you get the following error: “User not found against Customer account”

The user doesn’t match any user at Holm Security. Verify the UserPrincipalName against username at Holm Security and verify that the user have an E-mail Address attribute.

You got the following error: “Single sign-on failed. Please check the configuration”

Follow every step in the guide above again.

And run the following powershell command again:

Update-AdfsRelyingPartyTrust -TargetName "Holm Security"

  • If you get the following error: “The Message of the Response is not signed and the SP require it”

Run the following powershell command:

  1. Get-AdfsRelyingPartyTrust -Identifier https://sc.holmsecurity.com/sso/metadata | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None

  2. Set-ADFSRelyingPartyTrust -TargetName “Holm Security” -SamlResponseSignature "MessageAndAssertion"
  • If you get the following error in event viewer:

"Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256."

Change the Secure hash algorithm to SHA-1

  1. Go to AD GS Management
  2. Go to the Following Relying Party Trusts
  3. Right click on the identifier click on Properties
  4. Click on the Advanced tab
  5. Select Secure Hash algorithm: “SHA-1

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.