Configuring SSO Using SAML Authentication and AD FS 2.0

Version 1

    Details

    PROBLEM
    This article explains how to configure Single Sign-On (SSO) using SAML Authentication and AD FS 2.0 in LiveTime 8.5+.

    ENVIRONMENT
    LiveTime 8.5+
    Active Directory Federation Services (AD FS) 2.0

    The following example URLs will be used in this article but please replace these that matches your environment:
    AD FS 2.0 Server URL: https://adfs.example.com
    IDP URL: https://adfs.example.com/adfs/ls

    Prerequisites:
    [list=1:]

  • LiveTime is deployed on a server that is Secure Sockets Layer (SSL) enabled
  • AD FS 2.0 with supported Windows Server Operating System (http://www.microsoft.com/en-us/download/details.aspx?id=10909)
  • Java Runtime Environment (JRE) contains the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (http://www.oracle.com/technetwork/java/javase/downloads/index.html)

    RESOLUTION
    Export AD FS 2.0 Token-signing Certificate:
    [list=1:]
  • Open AD FS 2.0
  • Go to AD FS 2.0 >> Service >> Certificates folder
  • Double click or right click Token-signing certificate to View
  • Go to Details tab and click Copy to File
  • Click Next
  • Select DER encoded binary X.509 (.CER) and click Next
  • Click Browse to name (e.g. ADFS_Token), save the certificate and click Next
  • Click Finish

    Convert AF FS 2.0 Token-signing Certificate from type DER to PEM format:

    Import AD FS 2.0 Token-signing Certificate (PEM format) in LiveTime:
    [list=1:]
  • Login to LiveTime as an Administrator role
  • Go to Admin Portal >> Setup >> Advanced >> Certificate and click New
  • Type Host Name (e.g. AD FS 2.0) and copy and paste AD FS 2.0 Token-signing Certificate (PEM format)
  • Click Save

    Configure Single Sign On (SSO) in LiveTime:
    [list=1:]
  • Login to LiveTime as an Administrator role
  • Go to Admin Portal >> Setup >> Advanced >> Single Sign On
  • Click Edit and select SAML Authentication to On
  • Type IDP URL https://adfs.example.com/adfs/ls and select AD FS 2.0 certificate imported from previous section
  • Click Save
  • Download SP Metadata

    Configure Relying Party Trusts and Claim Rules in AD FS 2.0:
    [list=1:]
  • Open AD FS 2.0
  • Go to AD FS 2.0 >> Trust Relationships >> Relying Party Trusts
  • Click Add Relying Party Trust:
    [list=1:]
  • Add Relying Party Trust Wizard opens and click Start
  • Select Import data about the relying party from a file, browse to SP Metadata downloaded from previous section and click Next
  • Type Display name (e.g. LiveTime), notes (optional) and click Next
  • Select Permit all users to access this relying party and click Next
  • Click Next
  • Click Finish
  • Select newly created Relying Party Trusts under AD FS 2.0 >> Trust Relationships >> Relying Party Trusts and click Properties
  • Go to Advanced tab, select SHA-1 for Secure hash algorithm and click OK
  • Select newly created Relying Party Trusts under AD FS 2.0 >> Trust Relationships >> Relying Party Trusts and click Edit Claim Rules:
    [list=1:]
  • Go to Issuance Transform Rules and click Add Rule
  • Add Transform Claim Rule Wizard opens, select Send LDAP Attributes as Claims and click Next
  • Fill Claim rule name (e.g. LDAP) and select Active Directory for Attribute Store
  • Add the following in Mapping of LDAP attributes to outgoing claim types:
    • LDAP Attribute: E-Mail-Addresses | Outgoing Claim Type: E-Mail Address
    • LDAP Attribute: Given-Name | Outgoing Claim Type: Given Name
    • LDAP Attribute: Surname | Outgoing Claim Type: Surname
  • Click Finish
  • Click Add Rule
  • Add Transform Claim Rule Wizard opens, select Transform an Incoming Claim and click Next
  • Fill Claim rule name (e.g. Transform) and select as follows:
    • Incoming claim type: E-Mail Address
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Email
  • Select Pass through all claim values
  • Click OK

    Add IdP domain in Local intranet (or Trusted sites) on Client Computers:
    [list=1:]
  • Go to Control Panel >> Network and Internet >> Internet Options >> Security tab
  • Select Local intranet and click Sites
  • Click Advanced and Add https://adfs.example.com
  • Click Close

    Go to LiveTime Login page and click SAML 2.0 Authenticate link to login.

    ADDITIONAL INFORMATION
    If your Firefox or Chrome users are repeatedly prompted for credentials, please visit http://support.microsoft.com/en-us/kb/2709891

     


    Resolution

    PROBLEM
    This article explains how to configure Single Sign-On (SSO) using SAML Authentication and AD FS 2.0 in LiveTime 8.5+.

    ENVIRONMENT
    LiveTime 8.5+
    Active Directory Federation Services (AD FS) 2.0

    The following example URLs will be used in this article but please replace these that matches your environment:
    AD FS 2.0 Server URL: https://adfs.example.com
    IDP URL: https://adfs.example.com/adfs/ls

    Prerequisites:
    [list=1:]

  • LiveTime is deployed on a server that is Secure Sockets Layer (SSL) enabled
  • AD FS 2.0 with supported Windows Server Operating System (http://www.microsoft.com/en-us/download/details.aspx?id=10909)
  • Java Runtime Environment (JRE) contains the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (http://www.oracle.com/technetwork/java/javase/downloads/index.html)

    RESOLUTION
    Export AD FS 2.0 Token-signing Certificate:
    [list=1:]
  • Open AD FS 2.0
  • Go to AD FS 2.0 >> Service >> Certificates folder
  • Double click or right click Token-signing certificate to View
  • Go to Details tab and click Copy to File
  • Click Next
  • Select DER encoded binary X.509 (.CER) and click Next
  • Click Browse to name (e.g. ADFS_Token), save the certificate and click Next
  • Click Finish

    Convert AF FS 2.0 Token-signing Certificate from type DER to PEM format:

    Import AD FS 2.0 Token-signing Certificate (PEM format) in LiveTime:
    [list=1:]
  • Login to LiveTime as an Administrator role
  • Go to Admin Portal >> Setup >> Advanced >> Certificate and click New
  • Type Host Name (e.g. AD FS 2.0) and copy and paste AD FS 2.0 Token-signing Certificate (PEM format)
  • Click Save

    Configure Single Sign On (SSO) in LiveTime:
    [list=1:]
  • Login to LiveTime as an Administrator role
  • Go to Admin Portal >> Setup >> Advanced >> Single Sign On
  • Click Edit and select SAML Authentication to On
  • Type IDP URL https://adfs.example.com/adfs/ls and select AD FS 2.0 certificate imported from previous section
  • Click Save
  • Download SP Metadata

    Configure Relying Party Trusts and Claim Rules in AD FS 2.0:
    [list=1:]
  • Open AD FS 2.0
  • Go to AD FS 2.0 >> Trust Relationships >> Relying Party Trusts
  • Click Add Relying Party Trust:
    [list=1:]
  • Add Relying Party Trust Wizard opens and click Start
  • Select Import data about the relying party from a file, browse to SP Metadata downloaded from previous section and click Next
  • Type Display name (e.g. LiveTime), notes (optional) and click Next
  • Select Permit all users to access this relying party and click Next
  • Click Next
  • Click Finish
  • Select  newly created Relying Party Trusts under AD FS 2.0 >> Trust  Relationships >> Relying Party Trusts and click Properties
  • Go to Advanced tab, select SHA-1 for Secure hash algorithm and click OK
  • Select  newly created Relying Party Trusts under AD FS 2.0 >> Trust  Relationships >> Relying Party Trusts and click Edit Claim Rules:
    [list=1:]
  • Go to Issuance Transform Rules and click Add Rule
  • Add Transform Claim Rule Wizard opens, select Send LDAP Attributes as Claims and click Next
  • Fill Claim rule name (e.g. LDAP) and select Active Directory for Attribute Store
  • Add the following in Mapping of LDAP attributes to outgoing claim types:
    • LDAP Attribute: E-Mail-Addresses | Outgoing Claim Type: E-Mail Address
    • LDAP Attribute: Given-Name | Outgoing Claim Type: Given Name
    • LDAP Attribute: Surname | Outgoing Claim Type: Surname
  • Click Finish
  • Click Add Rule
  • Add Transform Claim Rule Wizard opens, select Transform an Incoming Claim and click Next
  • Fill Claim rule name (e.g. Transform) and select as follows:
    • Incoming claim type: E-Mail Address
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Email
  • Select Pass through all claim values
  • Click OK

    Add IdP domain in Local intranet (or Trusted sites) on Client Computers:
    [list=1:]
  • Go to Control Panel >> Network and Internet >> Internet Options >> Security tab
  • Select Local intranet and click Sites
  • Click Advanced and Add https://adfs.example.com
  • Click Close

    Go to LiveTime Login page and click SAML 2.0 Authenticate link to login.

    ADDITIONAL INFORMATION
    If your Firefox or Chrome users are repeatedly prompted for credentials, please visit http://support.microsoft.com/en-us/kb/2709891
  •