This topic will walk you through how to set up an ADFS SSO/SAML Integration. This includes how to set up ADFS in Ironclad and create a claim rule.
Requirements
To use ADFS to log in to your Ironclad instance, you must have the following components:
- An Active Directory instance where all users have an email address attribute (first name, last name, and title is recommended)
- An IdP configuration XML to upload into Ironclad. This automatically fills out the Single Sign-On Service and SAML metadata XML file that are required.
Set Up ADFS in Ironclad
- Export the ADFS 2.0 Metadata XML File. To do this, in your Graphical User Interface (GUI):
- In your web browser, enter https://ADFSServerName/FederationMetadata/2007-06/FederationMetadata.xml in the address bar. You must replace "ADFS-ServerName" with your server’s name.
- Navigate to the File Menu and click Save As.
- Enter a name for the XML file and click Save.
- In Ironclad, click on your profile icon located in the top right corner. Navigate to Company Settings > Integrations > SAML.
- Click Add SAML Configuration.
- Under IdP Configuration XML, click Choose File. Upload your ADFS 2.0 Metadata XML file. This automatically populates the Entry Point and Identity Provider Certificate information.
- Click Save.
- Scroll up to the SAML configuration section. A link is available for you to download the XML configuration from Ironclad.
- In your ADFS Management, click the Relying Party Trusts folder, and then add a new Standard Relying Party Trust from the actions sidebar.
- Click Start on the Welcome screen.
- Select Import data about the relying party from a file to upload the XML configuration that you downloaded from Ironclad. The Assertion Consumer Service (ACS) and Entity ID fields are populated with Callback URL and the Identifier. Click Next.
- In the Display name field, enter Ironclad. Enter any notes you want to include. Click Next.
- On the Configure Multi-factor Authentication Now? tab, you can configure multi-factor authentication. This is outside the scope of these instructions. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and then click Next.
- Select Permit all users to access this relying party and click Next.
- On the next two screens, the wizard displays an overview of your settings. Click Next until you reach the Finish screen. Leave Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checked and click Close to open the Claim Rules editor.
Create a Claim Rule
- In the Claim Rules editor, click the Issuance Transform Rules tab, and then click Add Rule.
- Create a Send LDAP Attributes as Claims rule. Click Next.
- From the Attribute store dropdown, select Active Directory and fill in the following:
- In the LDAP Attribute column, in order, select E-Mail-Addresses, Given-Name, and Surname.
- In the Outgoing Claim Type column, in order, select email, firstName, lastName. You must use camel case.
- Click OK to create the claim rule, and then click OK again to finish creating the rules.
- Your configuration is complete. You can add existing users to the application or invite new users. If you encounter any issues, follow the troubleshooting guide.