Save as PDF

AD FS 2.0 SAML Configuration

Overview

SAML Authentication is a paid add-on feature and must be enabled prior to use. Contact your account manager, or accountmanagers@responsive.io, to enable it.

Responsive uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML) 2.0, and supports SAML Authentication.

  • Our SSO implementation integrates easily with any large identity provider that supports SAML 2.0.
  • The connection between AD FS and Responsive is defined using a Relying Party Trust (RPT).

To configure Responsive in AD FS, you must first add a RPT, configure the claim issuance policy, and add SAML assertion end points; then, you can make the necessary configurations from the Responsive application.

Select the applicable tab for your edition of Responsive.

  • Adding a Relying Party Trust

    1. From the AD FS section in the left navigation pane, click Relying Party Trusts.
    2. From the Actions section in the left navigation bar, click Add Relying Party Trust.
      mceclip0.png
      Note: Alternatively, you can right-click Relying Party Trusts from the left navigation bar and select Add Relying Party Trust.
      mceclip1.png
    3. In the Add Relying Party Trust WizardWelcome screen, select Claims Aware and click Start.
    4. The Select Data Source screen displays. Select Enter data about the relying party manually and click Next.
      mceclip2.png
    5. The Specify Display Name screen will be displayed. Enter a display name that you will recognize in the future.
      mceclip3.png
    6. Enter any required notes, then click Next.
    7. The Configure Certificate screen will be displayed. Click Next.
      mceclip4.png
    8. The Configure URL screen will be displayed. Check the Enable Support for the SAML 2.0 WebSSO protocol box.
      mceclip5.png
    9. Enter the following in the Relying Party SAML 2.0 SSO service URL field: https://app.rfpio.com/rfpserver/login/handle-saml-response/<DefaultRelayState>.
      Note: Replace the value in the <Default Relay State> above with the real Default Relay State value located in Responsive Organization Settings > Security > SSO.
      mceclip6.png
    10. Click Next. The Configure Identifiers page will be displayed.
    11. Type https://www.rfpio.com in the Relying party trust identifiers field and click Add. The added value will be displayed as shown below.
      mceclip7.png
    12. Click Next. The Choose Access Control Policy page will be displayed.
    13. Select Permit everyone and click Next.
      mceclip8.png
    14. The Ready to Add Trust page will be displayed. Click Next.
      mceclip9.png
    15. The Finish page will be displayed. Check the Configure claim issuance policy for this application box.
      mceclip10.png
    16. Click Close. The newly created relying party trusts will be displayed as shown below:
      mceclip11.png

    Creating a Claim Issuance Policy

    Once the relying party trust has been created, you can configure the claim issuance policy.

    1. In the AD FS page, click on the newly created RPT.
    2. In the right navigation pane, click Edit Claim Issuance Policy under the Responsive section.
      mceclip12.png
    3. The Edit Claim Issuance Policy for Responsive pop-up will be displayed. Click Add Rule.
      mceclip13.png
    4. The Select Rule Template page will be displayed. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
      mceclip14.png
    5. Click Next. The Configure Rule page will be displayed. Select Active Directory from the Attribute Store drop-down list.
    6. Enter the following values In the Mapping of LDAP Attributes to Outgoing Claim Types field:
      LDAP Attribute (Select or Type to add more) Outgoing Claim Type (Select or Type to add more)
      Given-Name first_name
      Surname last_name
      State-Or-Province-Name location
      Telephone-Number phone
      Email-Address Name ID
      Title job_title
    7. Click Finish once the values are added.
      mceclip15.png
    8. The Edit Claim Issuance Policy for Responsive page will be displayed. Click Apply, then click OK.
      mceclip16.png

    Adding SAML Assertion Consumer Endpoints

    1. From the AD FS page, select the RPT name, right-click, and select Properties.
      mceclip42.png
    2. The Responsive Properties pop-up will be displayed. Select Endpoints.
      mceclip43.png
    3. Click Add SAML.
      mceclip44.png
    4. Select Post from the Binding drop-down list.
    5. Select 1 as the Index value.
    6. Enter https://app.rfpio.com/rfpserver/login/handle-saml-response in the Trusted URL field.
      mceclip45.png
      Note: Ensure the Default value is Yes for the 0 index.
      mceclip46.png
    7. Click Apply, then click OK.

    4. Adding Custom Roles in the Claim Issuance Policy (Optional)

    You have the option to add a custom role in the Claim Insurance Policy. A new LDAP attribute must be created prior to mapping custom roles in the Claim Issuance policy.

    1. From the AD FS page, click the RPT name, and then click Edit Claim Issuance Policy from the right navigation pane.
      mceclip34.png
    2. The Edit Claim Issuance Policy for Responsive page will be displayed. Click Edit Rule.
      mceclip35.png
    3. Enter responsiverole in the LDAP Attribute (Select or Type to add more) field, then enter role in the Outgoing Claim Type (Select or Type to add more) field.
      mceclip36.png
    4. Click OK. The Edit Claim Issuance Policy for Responsive page will be displayed.
    5. Click Apply, then click OK.
      mceclip37.png

    Creating New Attributes (Optional)

    Admins can use this feature to create custom user roles.

    1. Press the Windows key + R on your keyboard, then type MMC and click OK.
      mceclip18.png
    2. The Console1 – [Console Root] pop-up will be displayed. Click File and select Add/Remove Snap-in.
      mceclip19.png
    3. The Add or Remove Snap-ins pop-up will be displayed. Select Active Directory Schema from Available snap-ins section and click Add.
      mceclip20.png
    4. Click OK.
      mceclip21.png
    5. From the left navigation pane, click Active Directory Domains and Trusts > Attributes, then right click and select Create Attribute.
      mceclip22.png
    6. The Schema Object Creation pop-up will be displayed. Click Continue.
      mceclip23.png
    7. The Create New Attribute pop-up will be displayed. Enter the values as shown below:
      Common Name responsive_user_role
      LDAP Display Name responsive_user_role
      Unique X500 Object ID Enter the generate Object ID (described from Step 8 below)
      Syntax Unicode String (select from the drop-down)
    8. To generate an Object ID using VBScript (Microsoft Link), open the following link in any web browser, copy the VB script code, and paste it into Notepad: http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06.
    9. Save the notepad file as "OIDGen.vbs" (enclosed with double quotes, else it will be suffixed with .txt after .vbs) name on the C: drive.
    10. Open command prompt and run the following script: Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs.
      mceclip24.png
    11. Copy the OID string (dot separated numeric string) and paste it into the Unique X500 Object ID field.
      mceclip25.png
    12. Click OK.
    13. Click Classes from the left navigation pane, the select User, right-click, and select Properties.
      mceclip26.png
    14. The User Properties pop-up will be displayed. Click Attributes, then click Add.
      mceclip27.png
    15. Select the newly created attribute from the Select Schema Object pop-up and click OK.
      mceclip28.png
    16. The selected option will be displayed in User Properties - Optional. Click Apply, then OK.
      mceclip29.png
    17. Open Active Directory Users and Computers (by default, Users will be selected). Click ADFS User, then right-click and select Properties.
      Note: Only Administrators can make these changes.
      mceclip30.png
    18. The ADFS User Properties pop-up will be displayed. Click Attribute Editor, scroll down and select responsiverole, then click Edit.
      mceclip31.png
    19. Specify the role as Manager and click OK.
      mceclip32.png
    20. The value will be updated in the Attributes section. Click Apply and then OK.
      mceclip33.png
    21. Close the Active Directory Users and Computers pop-up.

    Once the custom roles are created, you can add a custom role in the Claim Issuance policy.

    Configuring SAML SSO in Responsive

    1. Go to Organization Settings > Security > SSO.
      • If the SAML SSO feature is not displayed, contact your account manager.
      • Multiple SSOs can be created for a single client instance. If this is required, open a support ticket to enable these.
    2. Turn on the SSO toggle and click Submit.
      mceclip48.png
    3. Click Add New. The Add New SSO section will be displayed as shown below:
      mceclip49.png
    4. Enter ADFS for the name.
    5. Click Choose File and upload the federated metadata file.
      Note: The federated metadata file can be downloaded from https://<server>/federationmetadata/2007-06/federationmetadata.xml.
      mceclip50.png
    6. Click Validate.
    7. Once validated, turn on the ADFS toggle.
      mceclip51.png

    Using SAML to Log In to Responsive

    Users can login to Responsive using SAML in two ways.

    Login Using an Instance Specific URL

    1. Enter the following URL in your browser: https://<server>/adfs/ls/IdpInitiatedSignOn.aspx.
    2. Select the Sign In To One of the Following Sites radio button and select Responsive, then click Continue to Sign In.
      mceclip52.png
    3. Enter the user name and password, then click Log In to go to Responsive.
      mceclip53.png

    Login to app.rfpio.com using SAML

    1. Enter your email.
      mceclip55.png
    2. Click Sign-in Using SAML.
      mceclip56.png
  • Essentials features are subscription-based and may not be available for all users. Contact your account manager, or accountmanagers@responsive.io, for more details.

    Adding a Relying Party Trust

    1. From the AD FS section in the left navigation pane, click Relying Party Trusts.
    2. From the Actions section in the left navigation bar, click Add Relying Party Trust.
      mceclip0.png
      Note: Alternatively, you can right-click Relying Party Trusts from the left navigation bar and select Add Relying Party Trust.
      mceclip1.png
    3. In the Add Relying Party Trust WizardWelcome screen, select Claims Aware and click Start.
    4. The Select Data Source screen displays. Select Enter data about the relying party manually and click Next.
      mceclip2.png
    5. The Specify Display Name screen will be displayed. Enter a display name that you will recognize in the future.
      mceclip3.png
    6. Enter any required notes, then click Next.
    7. The Configure Certificate screen will be displayed. Click Next.
      mceclip4.png
    8. The Configure URL screen will be displayed. Check the Enable Support for the SAML 2.0 WebSSO protocol box.
      mceclip5.png
    9. Enter the following in the Relying Party SAML 2.0 SSO service URL field: https://app.rfpio.com/rfpserver/login/handle-saml-response/<DefaultRelayState>.
      Note: Replace the value in the <Default Relay State> above with the real Default Relay State value located in Responsive Organization Settings > Security > SSO.
      mceclip6.png
    10. Click Next. The Configure Identifiers page will be displayed.
    11. Type https://www.rfpio.com in the Relying party trust identifiers field and click Add. The added value will be displayed as shown below.
      mceclip7.png
    12. Click Next. The Choose Access Control Policy page will be displayed.
    13. Select Permit everyone and click Next.
      mceclip8.png
    14. The Ready to Add Trust page will be displayed. Click Next.
      mceclip9.png
    15. The Finish page will be displayed. Check the Configure claim issuance policy for this application box.
      mceclip10.png
    16. Click Close. The newly created relying party trusts will be displayed as shown below:
      mceclip11.png

    Creating a Claim Issuance Policy

    Once the relying party trust has been created, you can configure the claim issuance policy.

    1. In the AD FS page, click on the newly created RPT.
    2. In the right navigation pane, click Edit Claim Issuance Policy under the Responsive section.
      mceclip12.png
    3. The Edit Claim Issuance Policy for Responsive pop-up will be displayed. Click Add Rule.
      mceclip13.png
    4. The Select Rule Template page will be displayed. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
      mceclip14.png
    5. Click Next. The Configure Rule page will be displayed. Select Active Directory from the Attribute Store drop-down list.
    6. Enter the following values In the Mapping of LDAP Attributes to Outgoing Claim Types field:
      LDAP Attribute (Select or Type to add more) Outgoing Claim Type (Select or Type to add more)
      Given-Name first_name
      Surname last_name
      State-Or-Province-Name location
      Telephone-Number phone
      Email-Address Name ID
      Title job_title
    7. Click Finish once the values are added.
      mceclip15.png
    8. The Edit Claim Issuance Policy for Responsive page will be displayed. Click Apply, then click OK.
      mceclip16.png

    Adding SAML Assertion Consumer Endpoints

    1. From the AD FS page, select the RPT name, right-click, and select Properties.
      mceclip42.png
    2. The Responsive Properties pop-up will be displayed. Select Endpoints.
      mceclip43.png
    3. Click Add SAML.
      mceclip44.png
    4. Select Post from the Binding drop-down list.
    5. Select 1 as the Index value.
    6. Enter https://app.rfpio.com/rfpserver/login/handle-saml-response in the Trusted URL field.
      mceclip45.png
      Note: Ensure the Default value is Yes for the 0 index.
      mceclip46.png
    7. Click Apply, then click OK.

    4. Adding Custom Roles in the Claim Issuance Policy (Optional)

    You have the option to add a custom role in the Claim Insurance Policy. A new LDAP attribute must be created prior to mapping custom roles in the Claim Issuance policy.

    1. From the AD FS page, click the RPT name, and then click Edit Claim Issuance Policy from the right navigation pane.
      mceclip34.png
    2. The Edit Claim Issuance Policy for Responsive page will be displayed. Click Edit Rule.
      mceclip35.png
    3. Enter responsiverole in the LDAP Attribute (Select or Type to add more) field, then enter role in the Outgoing Claim Type (Select or Type to add more) field.
      mceclip36.png
    4. Click OK. The Edit Claim Issuance Policy for Responsive page will be displayed.
    5. Click Apply, then click OK.
      mceclip37.png

    Creating New Attributes (Optional)

    Admins can use this feature to create custom user roles.

    1. Press the Windows key + R on your keyboard, then type MMC and click OK.
      mceclip18.png
    2. The Console1 – [Console Root] pop-up will be displayed. Click File and select Add/Remove Snap-in.
      mceclip19.png
    3. The Add or Remove Snap-ins pop-up will be displayed. Select Active Directory Schema from Available snap-ins section and click Add.
      mceclip20.png
    4. Click OK.
      mceclip21.png
    5. From the left navigation pane, click Active Directory Domains and Trusts > Attributes, then right click and select Create Attribute.
      mceclip22.png
    6. The Schema Object Creation pop-up will be displayed. Click Continue.
      mceclip23.png
    7. The Create New Attribute pop-up will be displayed. Enter the values as shown below:
      Common Name responsive_user_role
      LDAP Display Name responsive_user_role
      Unique X500 Object ID Enter the generate Object ID (described from Step 8 below)
      Syntax Unicode String (select from the drop-down)
    8. To generate an Object ID using VBScript (Microsoft Link), open the following link in any web browser, copy the VB script code, and paste it into Notepad: http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06.
    9. Save the notepad file as "OIDGen.vbs" (enclosed with double quotes, else it will be suffixed with .txt after .vbs) name on the C: drive.
    10. Open command prompt and run the following script: Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs.
      mceclip24.png
    11. Copy the OID string (dot separated numeric string) and paste it into the Unique X500 Object ID field.
      mceclip25.png
    12. Click OK.
    13. Click Classes from the left navigation pane, the select User, right-click, and select Properties.
      mceclip26.png
    14. The User Properties pop-up will be displayed. Click Attributes, then click Add.
      mceclip27.png
    15. Select the newly created attribute from the Select Schema Object pop-up and click OK.
      mceclip28.png
    16. The selected option will be displayed in User Properties - Optional. Click Apply, then OK.
      mceclip29.png
    17. Open Active Directory Users and Computers (by default, Users will be selected). Click ADFS User, then right-click and select Properties.
      Note: Only Administrators can make these changes.
      mceclip30.png
    18. The ADFS User Properties pop-up will be displayed. Click Attribute Editor, scroll down and select responsiverole, then click Edit.
      mceclip31.png
    19. Specify the role as Manager and click OK.
      mceclip32.png
    20. The value will be updated in the Attributes section. Click Apply and then OK.
      mceclip33.png
    21. Close the Active Directory Users and Computers pop-up.

    Once the custom roles are created, you can add a custom role in the Claim Issuance policy.

    Configuring SAML SSO in Responsive

    1. Go to Organization Settings > Security > SSO.
      • If the SAML SSO feature is not displayed, contact your account manager.
      • Multiple SSOs can be created for a single client instance. If this is required, open a support ticket to enable these.
    2. Turn on the SSO toggle and click Submit.
      mceclip48.png
    3. Click Add New. The Add New SSO section will be displayed as shown below:
      mceclip49.png
    4. Enter ADFS for the name.
    5. Click Choose File and upload the federated metadata file.
      Note: The federated metadata file can be downloaded from https://<server>/federationmetadata/2007-06/federationmetadata.xml.
      mceclip50.png
    6. Click Validate.
    7. Once validated, turn on the ADFS toggle.
      mceclip51.png

    Using SAML to Log In to Responsive

    Users can login to Responsive using SAML in two ways.

    Login Using an Instance Specific URL

    1. Enter the following URL in your browser: https://<server>/adfs/ls/IdpInitiatedSignOn.aspx.
    2. Select the Sign In To One of the Following Sites radio button and select Responsive, then click Continue to Sign In.
      mceclip52.png
    3. Enter the user name and password, then click Log In to go to Responsive.
      mceclip53.png

    Login to app.rfpio.com using SAML

    1. Enter your email.
      mceclip55.png
    2. Click Sign-in Using SAML.
      mceclip56.png

Was this article helpful?

/