AD SSO Config

Open the AD FS Management console.
Click Add Relying Party Trust… in the Actions pane.
On the Welcome step, click Start.

4. Select Import data about the relying party from a file, enter the path to the downloaded service provider metadata, and click Next.

5. Enter a name as (Leena AI) for Display name and click Next.

6. Leave the default multi-factor authentication selection and click Next.

7. Select Permit all users to access this relying party and click Next.

8. Review your settings and click Next.

9. Click Close to finish the wizard.

10. The claim rule editor should open by default. If it does not, select your Relying Party Trust and click Edit Claim Rules… in the Actions pane.

11. Create two claim rules by following these steps:

a. Click Add Rule.

b. Select Send LDAP Attributes as Claims for Claim rule template and click Next.

c. Enter a Claim rule name.

d. Select Active Directory for Attribute store.

e. Select E-Mail-Addresses for LDAP Attribute and select E-mail Address for Outgoing Claim Type.

f. Click Finish.

g. Click Add Rule.

h. Select Transform an Incoming Claim for Claim rule template and click Next

i. Enter a Claim rule name.

j. Select E-Mail Address for Incoming claim type.

k. Select Name ID for Outgoing claim type

l. Select Email for Outgoing name ID format.

m. Add Other claim rules (Name, First Name, Last Name, Employee Id).

n. Click Finish.

12. Double-click on the new Relying Party Trust to open the properties.

13. Select the Encryption tab and click Remove to remove the encryption certificate.

14. Select the Advanced tab and select the SHA algorithm for the Secure hash algorithm that matches the SHA-256 Algorithm.

15. Please share the IdP Metadata that is generated.

FAQs

Receiving InvalidNameIdPolicy Error.

This is the error at our end. We need to change the NameID configured in the database to Name Id configured by IDP.

Receiving Request Denied Error.
This is probably issue at ADFS end. Look at the ADFS Logs. (Follow these steps to view logs https://support.robinpowered.com/hc/en-us/articles/115005014143-How-to-check-ADFS-logs-for-SAML-logins). If you see the caller is not authorized to request a token for the relying party in the logs then You need to permit that user for the relying party configured in ADFS.

Follow these steps.
ADFS management -> Relying party Trusts -> Right click your relying party -> Edit claim rules -> Issuance Authorization Rules -> Add Rule -> Permit access to all users.

Receiving Invalid Signature.

This generally means that IDP Public Key configured is wrong.

Page updated

Report abuse