Enable Single Sign On via ADFS

  • Updated
Table of Contents:

This article describes the procedure for configuring single sign-on via ADFS with Resolution Intelligence Cloud.

ADFS single sign-on allows you to login to Resolution Intelligence Cloud by configuring ADFS as an identity provider. This guide provides you with step-by-step instructions on how to set up a single sign-on through ADFS. Here, ADFS acts as an identity provider, and your app or website will be considered a service provider with Resolution Intelligence Cloud as an intermediate agent. 

Important: Refer to this article for details on how to reset MFA for a specific user if the user lost an MFA-enabled device.

Prerequisites

  • Admin in Resolution Intelligence Cloud 
  • ADFS Administrator access through your organization to process Single-Sign-On correctly

Add a Relying Party Trust

  1. Open the ADFS Management Console.
  2. On the right side of the console, click Add Relying Party Trust.
  3. Click Start.
  4. Select Enter data about the relying party manually and click Next.
  5. Type a name (yourAppName) and click Next.
  6. Use the default (ADFS 2.0 profile) and click Next.
  7. Use the default (no encryption certificate) and click Next.
  8. Check Enable support for the WS-Federation... and type this value in the textbox: https://auth.netenrich.com/login/callback.
  9. Click Next.
  10. Add a Relying Party Trust identifier with this value: urn:auth0:prod-netenrich:companynameadfs
    NOTE: For “companyname”, type your company name, this can be any name to uniquely identify the connection. Later this name will be used to configure the ADFS connection in Resolution Intelligence Cloud
  11. Click Add, and then Next.
  12. Leave the default Permit all users... and click Next.
  13. Click Next, and then Close.

Add a claim issuance policy rule

  1. If you're using Windows Server 2019, the Edit Claim Issuance Policy dialog box automatically opens when you finish the Add Relying Party Trust wizard. If you're using Windows 2012 or 2016, follow these below steps
In Windows Server 2012 In Windows Server 2016
In the Actions panel on the right side of the console, find the Relying Party Trust you just created. Beneath it, click Edit Claim Issuance Policy. In the console tree, under ADFS, click Relying Party Trusts. On the right side of the console, find the Relying Party Trust you just created. Right-click it and click Edit Claim Issuance Policy.

2. In the Edit Claim Issuance Policy Window, under Issuance Transform Rules, click Add Rule....

3. Leave the default Send LDAP Attributes as Claims.

4. Give the rule a name that describes what it does.

5. Under Attribute Store, select Active Directory.

6. Select these mappings under Mapping of LDAP attributes to outgoing claim types and click Finish.

LDAP Attribute Outgoing Claim Type
E-Mail-Address E-Mail Address
Display-Name Name
User-Principal-Name Name ID
Given-Name Given Name
Surname Surname

Configuring ADFS in Resolution Intelligence Cloud

To configure ADFS,

  1. From Resolution Intelligence home screen, click Configurations --> Authentication in the left menu
  2. Click Setup Provider under the ADFS tile
    A new ADFS Connection form appears
  3. Enter the following fields and click Create at the bottom of screen

Field

Description

Connection name

A logical identifier for your connection; it must be unique. Once set, this name can't be changed.

Display Name

A name is assigned to your connection to display it on screen

ADFS URL

Get the ADFS Federation Metadata by using this URL:
https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml.

Identity Provider Domains

Enter a list of trusted domains which you want to identify as identity providers

Sync user profile attributes at each login

When enabled, Resolution Intelligence Cloud automatically syncs user profile data with each user login, thereby ensuring that changes made in the connection source are automatically updated in Resolution Intelligence Cloud.

Email Verification

Choose how Resolution Intelligence Cloud sets the email_verified field in the user profile.
Multifactor Authentication  Multi-Factor Authentication (MFA) can be enabled or disabled at any point during or after setting up the Single Sign-On (SSO) connection. It is important to note that MFA functionality is exclusive to the SSO connection and applies solely to users logging in via the domain specified under "identity provider domains." By default, MFA is disabled. To activate it, tick mark the checkbox labelled "Enable MFA while user login."

You have established ADFS connection successfully

Invite User with SSO Integration

  1. For users to be able to login using SSO, they must be re-invited using the SSO connection.
  2. An existing owner or global admin user with local authentication can login, add a new user with the owner role by enabling the newly created SSO integration in Resolution Intelligence Cloud.

3. A newly invited user will be redirected to ADFS for authentication.

4. For existing users with local authentication, users must be deleted and re-invited using an SSO connection."

Related articles

Comments

0 comments

Please sign in to leave a comment.