To set up SSO with Windows Active Directory Federated Services (ADFS), you will need the following:
- An Active Directory domain
- An Active Directory Federation Services deployment
If you don't have an existing ADFS 2.0 setup, you can follow the installation guide in these Microsoft KB (Server 2008), Microsoft KB (Server 2012) articles to configure your server.
This guide uses screenshots from Microsoft Server 2008 - the steps are similar for other versions.
Add Beekeeper as a Relying Party
First, you need to establish a two-way trust relationship between ADFS and Beekeeper. To do so, open the ADFS Management Console, and follow the steps below.
- Right-click ADFS 2.0 and select Add Relying Party Trust to open the ‘Add Relying Party Trust Wizard’
- On the wizard ‘Welcome’ page, click Start
- On the ‘Select Data Source’ page, check Import data about the relying party published online or on a local network
- Under ‘Federation metadata address’ enter your Beekeeper app URL (e.g. https://your_company.beekeeper.io/saml/sso/metadata.xml - this link is also given in the admin dashboard, under Settings > General > Single Sign-On). The metadata XML file is a standard SAML metadata document that describes your Beekeeper domain as a relying party
- Click Next
- On the ‘Specify Display Name’ page, set the display name for the relying party (e.g. Beekeeper) and click Next
- On the ‘Choose Issuance Authorization Rules’ page, check Permit all users to access this relying party and click Next
- On the ‘Ready to Add Trust’ page, review your settings and click Next
- On the ‘Finish’ page, check the option for Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close
You are now done with configuring Beekeeper as a relying party. The next sections detail how to configure your claims to populate your users’ profiles in Beekeeper.
Configuring the SAML Name ID claim rule
The SAML Name ID will be used to match user accounts between Beekeeper and ADFS. The steps below outline how to set the Windows Account name as the SAML Name ID.
To set up the Name ID claim rule, head to the ADFS Management Console and follow the steps below:
- Under ‘Relying Party Trusts’, click on the entry for Beekeeper (created in the previous section) and select Edit Claim Rules
- In the ‘Edit Claim Rules for Beekeeper’ dialog box, click Add Rule to open the ‘Add Transform Claim Rule Wizard’
- On the ‘Select Rule Template’ page, select Transform an Incoming Claim from the claim rule template dropdown, and click Next
- On the ‘Configure Rule’ page, use the following settings:
- Claim rule name: NameId
- Incoming claim type: Windows Account Name
- Outgoing claim type: Name ID
- Outgoing name ID format: Persistent Identifier
- Pass through all claim values: checked
- Click Finish
Creating additional claim rules
With claim rules, you can populate a user’s Beekeeper profile fields with values from ADFS. Values such as NameId, email, first and last names are populated by default, but with claim rules you can also map other custom fields, such as position or department. *Note: Make sure that those custom fields are created as a Profile Field in the Beekeeper Dashboard.
To set up additional claim rules, follow the steps below.
- In the ADFS Management Console, under ‘Relying Party Trusts’, click on the entry for Beekeeper and select Edit Claim Rules
- In the ‘Edit Claim Rules for Beekeeper’ dialog box, click Add Rule to open the ‘Add Transform Claim Rule Wizard’
- On the ‘Select Rule Template’ page, select Send LDAP Attributes as Claims from the claim rule template dropdown, and click Next
- On the ‘Configure Rule’ page, use the following settings:
- Claim rule name: Beekeeper Profile
- Attribute store: Active Directory
- Mapping of LDAP attributes: these mappings determine which fields are sent from ADFS to Beekeeper. ‘LDAP Attribute’ is the ADFS field, and ‘Outgoing Claim Type’ is the placeholder of a Beekeeper profile field (e.g. firstname, email, position) *Note: Make sure that custom fields are created as a Profile Field in the Beekeeper Dashboard.
- Click Finish
Configuring Beekeeper with the IdP metadata
Once you have set up Beekeeper as a relying party in ADFS, you will need to configure Beekeeper to accept logins from ADFS.
- Download the SAML metadata file from your ADFS server (the URL should look similar to https://your_server/FederationMetadata/2007-06/FederationMetadata.xml)
- In the Beekeeper admin dashboard, navigate to Settings > General > Single Sign-On
- Copy the contents of the metadata file into the appropriate field and click Save
Congratulations! Your users can now log in to Beekeeper with Active Directory as the IdP provider.
Comments
0 comments
Please sign in to leave a comment.