SAML 2.0 integration for Microsoft ADFS

This documentation provides information required by Agendize to enable single-sign-on for your users into Agendize backoffice, based on SAML 2.0 protocol, with their credentials in Microsoft Active Directory Federation Services.

Contact us if you are interested in setting up SAML on Agendize for your business.

Note: login of your users should always be email addresses.

Overview

Here are the basic steps involved in the authorization workflow:

1. The user tries to access to Agendize backoffice
2. His/her web browser receives a redirect to your authentication server (ADFS)
3. The user provides his/her credentials to log into your server
4. Your server generates a SAML authentication response for the user login (including group memberships and related roles in Agendize backoffice)
5. His/her web browser transfers the response back to Agendize
6. Agendize backoffice sets the user in the proper context, matching his/her role and privileges

Requirements for SSO integration

1. Collect IDP (ID Provider) data on Microsoft ADFS

Parameters

Following information should be provided for setup:

• entity-id: service provider configured on your ADFS server for SSO service to Agendize
  • Example:https://XXXXXXXXX.XXX/adfs/ls/
• sso-binding
  • Example: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
• sso-url
  • Example:https://XXXXXXXXX.XXX/adfs/ls/
• authn-context: authentication mode for your users (see https://msdn.microsoft.com/en-us/library/hh599318.aspx)
  • Example:urn:federation:authentication:windows
• x509cert: fingerprint of your token-signing certificate
  • see AD FS 2.0 Management > Service > Certificates > Token-Signing

Convert Token-Signing certificate to PEM

SSO certificate has to be converted to PEM format:

openssl x509 -inform DER -in certificate.cer -out certificate.pem -text

2. Configure SAML authentication on your Active Directory server

Following metadata file is provided beforehand to configure SSO service on your side. It should be declared on your Microsoft ADFS server:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="saml:agendize" ID="SP_a1107b59-5553-4028-82f3-b1c57356de4c">

<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://app.agendize.com/sso-login?method=logout&amp;provider=SAMLYOURCOMPANY"/>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.agendize.com/sso-login?method=login&amp;provider=SAMLYOURCOMPANY" index="1"/>

</md:SPSSODescriptor>

</md:EntityDescriptor>

Note: A callback URL will be assigned to your company to receive SAML responses back from your server. Callback URL has following pattern: https://app.agendize.com/apps.YOURCOMPANY/callback.jsp 

3. Match ADFS data schema with SAML 2.0 user properties and groups

User information

Here are the names of the user properties expected in your SAML responses:

• firstname
• lastname
  • Possible mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
• email(mandatory)
  • Possible mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
• groups
  • Possible mapping: http://schemas.xmlsoap.org/claims/Group

Matching your data schema with these properties names should be configured with your ADFS server (see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization).

Assign your users to specific groups depending on their role in Agendize backoffice

Here are the group ID that can be assigned to your users depending on the privileges they need on the Agendize platform: