Overview
SAML Authentication is a paid add-on feature and must be enabled prior to use. Contact your account manager, or accountmanagers@responsive.io, to enable it.
Responsive uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML) 2.0, and supports SAML Authentication.
- Our SSO implementation integrates easily with any large identity provider that supports SAML 2.0.
- The connection between AD FS and Responsive is defined using a Relying Party Trust (RPT).
To configure Responsive in AD FS, you must first add a RPT, configure the claim issuance policy, and add SAML assertion end points; then, you can make the necessary configurations from the Responsive application.
Select the applicable tab for your edition of Responsive.
-
Adding a Relying Party Trust
- From the AD FS section in the left navigation pane, click Relying Party Trusts.
- From the Actions section in the left navigation bar, click Add Relying Party Trust.
Note: Alternatively, you can right-click Relying Party Trusts from the left navigation bar and select Add Relying Party Trust.
- In the Add Relying Party Trust Wizard – Welcome screen, select Claims Aware and click Start.
- The Select Data Source screen displays. Select Enter data about the relying party manually and click Next.
- The Specify Display Name screen will be displayed. Enter a display name that you will recognize in the future.
- Enter any required notes, then click Next.
- The Configure Certificate screen will be displayed. Click Next.
- The Configure URL screen will be displayed. Check the Enable Support for the SAML 2.0 WebSSO protocol box.
- Enter the following in the Relying Party SAML 2.0 SSO service URL field: https://app.rfpio.com/rfpserver/login/handle-saml-response/<DefaultRelayState>.
Note: Replace the value in the <Default Relay State> above with the real Default Relay State value located in Responsive Organization Settings > My Organization > Security > SSO.
- Click Next. The Configure Identifiers page will be displayed.
- Type https://www.rfpio.com in the Relying party trust identifiers field and click Add. The added value will be displayed as shown below.
- Click Next. The Choose Access Control Policy page will be displayed.
- Select Permit everyone and click Next.
- The Ready to Add Trust page will be displayed. Click Next.
- The Finish page will be displayed. Check the Configure claim issuance policy for this application box.
- Click Close. The newly created relying party trusts will be displayed as shown below:
Creating a Claim Issuance Policy
Once the relying party trust has been created, you can configure the claim issuance policy.
- In the AD FS page, click on the newly created RPT.
- In the right navigation pane, click Edit Claim Issuance Policy under the Responsive section.
- The Edit Claim Issuance Policy for Responsive pop-up will be displayed. Click Add Rule.
- The Select Rule Template page will be displayed. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
- Click Next. The Configure Rule page will be displayed. Select Active Directory from the Attribute Store drop-down list.
- Enter the following values In the Mapping of LDAP Attributes to Outgoing Claim Types field:
LDAP Attribute (Select or Type to add more) Outgoing Claim Type (Select or Type to add more) Given-Name first_name Surname last_name State-Or-Province-Name location Telephone-Number phone Email-Address Name ID Title job_title - Click Finish once the values are added.
- The Edit Claim Issuance Policy for Responsive page will be displayed. Click Apply, then click OK.
Adding SAML Assertion Consumer Endpoints
- From the AD FS page, select the RPT name, right-click, and select Properties.
- The Responsive Properties pop-up will be displayed. Select Endpoints.
- Click Add SAML.
- Select Post from the Binding drop-down list.
- Select 1 as the Index value.
- Enter https://app.rfpio.com/rfpserver/login/handle-saml-response in the Trusted URL field.
Note: Ensure the Default value is Yes for the 0 index.
- Click Apply, then click OK.
4. Adding Custom Roles in the Claim Issuance Policy (Optional)
You have the option to add a custom role in the Claim Insurance Policy. A new LDAP attribute must be created prior to mapping custom roles in the Claim Issuance policy.
- From the AD FS page, click the RPT name, and then click Edit Claim Issuance Policy from the right navigation pane.
- The Edit Claim Issuance Policy for Responsive page will be displayed. Click Edit Rule.
- Enter responsiverole in the LDAP Attribute (Select or Type to add more) field, then enter role in the Outgoing Claim Type (Select or Type to add more) field.
- Click OK. The Edit Claim Issuance Policy for Responsive page will be displayed.
- Click Apply, then click OK.
Creating New Attributes (Optional)
Admins can use this feature to create custom user roles.
- Press the Windows key + R on your keyboard, then type MMC and click OK.
- The Console1 – [Console Root] pop-up will be displayed. Click File and select Add/Remove Snap-in.
- The Add or Remove Snap-ins pop-up will be displayed. Select Active Directory Schema from Available snap-ins section and click Add.
- Click OK.
- From the left navigation pane, click Active Directory Domains and Trusts > Attributes, then right click and select Create Attribute.
- The Schema Object Creation pop-up will be displayed. Click Continue.
- The Create New Attribute pop-up will be displayed. Enter the values as shown below:
Common Name responsive_user_role LDAP Display Name responsive_user_role Unique X500 Object ID Enter the generate Object ID (described from Step 8 below) Syntax Unicode String (select from the drop-down) - To generate an Object ID using VBScript (Microsoft Link), open the following link in any web browser, copy the VB script code, and paste it into Notepad: http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06.
- Save the notepad file as "OIDGen.vbs" (enclosed with double quotes, else it will be suffixed with .txt after .vbs) name on the C: drive.
- Open command prompt and run the following script: Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs.
- Copy the OID string (dot separated numeric string) and paste it into the Unique X500 Object ID field.
- Click OK.
- Click Classes from the left navigation pane, the select User, right-click, and select Properties.
- The User Properties pop-up will be displayed. Click Attributes, then click Add.
- Select the newly created attribute from the Select Schema Object pop-up and click OK.
- The selected option will be displayed in User Properties - Optional. Click Apply, then OK.
- Open Active Directory Users and Computers (by default, Users will be selected). Click ADFS User, then right-click and select Properties.
Note: Only Administrators can make these changes.
- The ADFS User Properties pop-up will be displayed. Click Attribute Editor, scroll down and select responsiverole, then click Edit.
- Specify the role as Manager and click OK.
- The value will be updated in the Attributes section. Click Apply and then OK.
- Close the Active Directory Users and Computers pop-up.
Once the custom roles are created, you can add a custom role in the Claim Issuance policy.
Configuring SAML SSO in Responsive
- Go to Organization Settings > My Organization > Security > SSO/SCIM.
- If the SAML SSO feature is not displayed, contact your account manager.
- Multiple SSOs can be created for a single client instance. If this is required, open a support ticket to enable these.
- Turn on the SSO toggle and click Save.
- Click Add Authentication Method. The New SSO section will be displayed as shown below:
- Enter ADFS for the name.
- Click Upload Configuration File and upload the federated metadata file.
Note: The federated metadata file can be downloaded from https://<server>/federationmetadata/2007-06/federationmetadata.xml.
- Click Validate.
- Once validated, turn on the ADFS toggle.
Using SAML to Log In to Responsive
Users can login to Responsive using SAML in two ways.
Login Using an Instance Specific URL
- Enter the following URL in your browser: https://<server>/adfs/ls/IdpInitiatedSignOn.aspx.
- Select the Sign In To One of the Following Sites radio button and select Responsive, then click Continue to Sign In.
- Enter the user name and password, then click Log In to go to Responsive.
Login to app.rfpio.com using SAML
- Enter your email.
- Click Sign-in Using SAML.
-
Essentials features are subscription-based and may not be available for all users. Contact your account manager, or accountmanagers@responsive.io, for more details.
Adding a Relying Party Trust
- From the AD FS section in the left navigation pane, click Relying Party Trusts.
- From the Actions section in the left navigation bar, click Add Relying Party Trust.
Note: Alternatively, you can right-click Relying Party Trusts from the left navigation bar and select Add Relying Party Trust.
- In the Add Relying Party Trust Wizard – Welcome screen, select Claims Aware and click Start.
- The Select Data Source screen displays. Select Enter data about the relying party manually and click Next.
- The Specify Display Name screen will be displayed. Enter a display name that you will recognize in the future.
- Enter any required notes, then click Next.
- The Configure Certificate screen will be displayed. Click Next.
- The Configure URL screen will be displayed. Check the Enable Support for the SAML 2.0 WebSSO protocol box.
- Enter the following in the Relying Party SAML 2.0 SSO service URL field: https://app.rfpio.com/rfpserver/login/handle-saml-response/<DefaultRelayState>.
Note: Replace the value in the <Default Relay State> above with the real Default Relay State value located in Responsive Organization Settings > My Organization > Security > SSO.
- Click Next. The Configure Identifiers page will be displayed.
- Type https://www.rfpio.com in the Relying party trust identifiers field and click Add. The added value will be displayed as shown below.
- Click Next. The Choose Access Control Policy page will be displayed.
- Select Permit everyone and click Next.
- The Ready to Add Trust page will be displayed. Click Next.
- The Finish page will be displayed. Check the Configure claim issuance policy for this application box.
- Click Close. The newly created relying party trusts will be displayed as shown below:
Creating a Claim Issuance PolicyOnce the relying party trust has been created, you can configure the claim issuance policy.
- In the AD FS page, click on the newly created RPT.
- In the right navigation pane, click Edit Claim Issuance Policy under the Responsive section.
- The Edit Claim Issuance Policy for Responsive pop-up will be displayed. Click Add Rule.
- The Select Rule Template page will be displayed. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
- Click Next. The Configure Rule page will be displayed. Select Active Directory from the Attribute Store drop-down list.
- Enter the following values In the Mapping of LDAP Attributes to Outgoing Claim Types field:
LDAP Attribute (Select or Type to add more) Outgoing Claim Type (Select or Type to add more) Given-Name first_name Surname last_name State-Or-Province-Name location Telephone-Number phone Email-Address Name ID Title job_title - Click Finish once the values are added.
- The Edit Claim Issuance Policy for Responsive page will be displayed. Click Apply, then click OK.
Adding SAML Assertion Consumer Endpoints
- From the AD FS page, select the RPT name, right-click, and select Properties.
- The Responsive Properties pop-up will be displayed. Select Endpoints.
- Click Add SAML.
- Select Post from the Binding drop-down list.
- Select 1 as the Index value.
- Enter https://app.rfpio.com/rfpserver/login/handle-saml-response in the Trusted URL field.
Note: Ensure the Default value is Yes for the 0 index.
- Click Apply, then click OK.
4. Adding Custom Roles in the Claim Issuance Policy (Optional)
You have the option to add a custom role in the Claim Insurance Policy. A new LDAP attribute must be created prior to mapping custom roles in the Claim Issuance policy.
- From the AD FS page, click the RPT name, and then click Edit Claim Issuance Policy from the right navigation pane.
- The Edit Claim Issuance Policy for Responsive page will be displayed. Click Edit Rule.
- Enter responsiverole in the LDAP Attribute (Select or Type to add more) field, then enter role in the Outgoing Claim Type (Select or Type to add more) field.
- Click OK. The Edit Claim Issuance Policy for Responsive page will be displayed.
- Click Apply, then click OK.
Creating New Attributes (Optional)
Admins can use this feature to create custom user roles.
- Press the Windows key + R on your keyboard, then type MMC and click OK.
- The Console1 – [Console Root] pop-up will be displayed. Click File and select Add/Remove Snap-in.
- The Add or Remove Snap-ins pop-up will be displayed. Select Active Directory Schema from Available snap-ins section and click Add.
- Click OK.
- From the left navigation pane, click Active Directory Domains and Trusts > Attributes, then right click and select Create Attribute.
- The Schema Object Creation pop-up will be displayed. Click Continue.
- The Create New Attribute pop-up will be displayed. Enter the values as shown below:
Common Name responsive_user_role LDAP Display Name responsive_user_role Unique X500 Object ID Enter the generate Object ID (described from Step 8 below) Syntax Unicode String (select from the drop-down) - To generate an Object ID using VBScript (Microsoft Link), open the following link in any web browser, copy the VB script code, and paste it into Notepad: http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06.
- Save the notepad file as "OIDGen.vbs" (enclosed with double quotes, else it will be suffixed with .txt after .vbs) name on the C: drive.
- Open command prompt and run the following script: Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs.
- Copy the OID string (dot separated numeric string) and paste it into the Unique X500 Object ID field.
- Click OK.
- Click Classes from the left navigation pane, the select User, right-click, and select Properties.
- The User Properties pop-up will be displayed. Click Attributes, then click Add.
- Select the newly created attribute from the Select Schema Object pop-up and click OK.
- The selected option will be displayed in User Properties - Optional. Click Apply, then OK.
- Open Active Directory Users and Computers (by default, Users will be selected). Click ADFS User, then right-click and select Properties.
Note: Only Administrators can make these changes.
- The ADFS User Properties pop-up will be displayed. Click Attribute Editor, scroll down and select responsiverole, then click Edit.
- Specify the role as Manager and click OK.
- The value will be updated in the Attributes section. Click Apply and then OK.
- Close the Active Directory Users and Computers pop-up.
Once the custom roles are created, you can add a custom role in the Claim Issuance policy.
Configuring SAML SSO in Responsive
- Go to Organization Settings > My Organization > Security > SSO/SCIM.
- If the SAML SSO feature is not displayed, contact your account manager.
- Multiple SSOs can be created for a single client instance. If this is required, open a support ticket to enable these.
- Turn on the SSO toggle and click Save.
- Click Add Authentication Method. The New SSO section will be displayed as shown below:
- Enter ADFS for the name.
- Click Upload Configuration File and upload the federated metadata file.
Note: The federated metadata file can be downloaded from https://<server>/federationmetadata/2007-06/federationmetadata.xml.
- Click Validate.
- Once validated, turn on the ADFS toggle.
Using SAML to Log In to Responsive
Users can login to Responsive using SAML in two ways.
Login Using an Instance Specific URL
- Enter the following URL in your browser: https://<server>/adfs/ls/IdpInitiatedSignOn.aspx.
- Select the Sign In To One of the Following Sites radio button and select Responsive, then click Continue to Sign In.
- Enter the user name and password, then click Log In to go to Responsive.
Login to app.rfpio.com using SAML
- Enter your email.
- Click Sign-in Using SAML.