Save as PDF

AD FS 2.0 SAML configuration

Overview

SAML Authentication is a paid add-on feature and must be enabled prior to use. Contact the Customer Success team at customersuccess@responsive.io to enable it.

Responsive uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML) 2.0, and supports SAML Authentication.

  • Our single sign-on (SSO) implementation integrates easily with any large identity provider that supports SAML 2.0.
  • The connection between AD FS and Responsive is defined using a Relying Party Trust (RPT).

To configure Responsive in Active Directory Federation Services (AD FS), you must first add a Relying Party Trust (RPT), configure the claim issuance policy, and add SAML assertion end points; then, you can make the necessary configurations from the Responsive application.

Adding a Relying Party Trust

  1. From the AD FS section in the left navigation pane, click Relying Party Trusts.
  2. From the Actions section in the left navigation bar, click Add Relying Party Trust.
    mceclip0.png
    Note: Alternatively, you can right-click Relying Party Trusts from the left navigation bar and select Add Relying Party Trust.
    mceclip1.png
  3. In the Add Relying Party Trust WizardWelcome screen, select Claims Aware and click Start.
  4. The Select Data Source screen displays. Select Enter data about the relying party manually and click Next.
    mceclip2.png
  5. The Specify Display Name screen will be displayed. Enter a display name that you will recognize in the future.
    mceclip3.png
  6. Enter any required notes, then click Next.
  7. The Configure Certificate screen will be displayed. Click Next.
    mceclip4.png
  8. The Configure URL screen will be displayed. Check the Enable Support for the SAML 2.0 WebSSOprotocol box.
    mceclip5.png
  9. Enter the following in the Relying Party SAML 2.0 SSO service URL field: https://app.rfpio.com/rfpserver/login/handle-saml-response/<DefaultRelayState>.
    Note: Replace the value in the <Default Relay State> above with the real Default Relay State value located in Responsive Organization Settings > My Organization > Security > SSO.
  10. Click Next. The Configure Identifiers page will be displayed.
  11. Type https://www.rfpio.com in the Relying party trust identifiers field and click Add. The added value will be displayed as shown below.
    mceclip7.png
  12. Click Next. The Choose Access Control Policy page will be displayed.
  13. Select Permit everyone and click Next.
    mceclip8.png
  14. The Ready to Add Trust page will be displayed. Click Next.
    mceclip9.png
  15. The Finish page will be displayed. Check the Configure claim issuance policy for this application box.
    mceclip10.png
  16. Click Close. The newly created relying party trusts will be displayed as shown below:
    mceclip11.png

Creating a Claim Issuance Policy

Once the relying party trust has been created, you can configure the claim issuance policy.

  1. In the AD FS page, click on the newly created RPT.
  2. In the right navigation pane, click Edit Claim Issuance Policy under the Responsive section.
    mceclip12.png
  3. The Edit Claim Issuance Policy for Responsive pop-up will be displayed. Click Add Rule.
    mceclip13.png
  4. The Select Rule Template page will be displayed. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
    mceclip14.png
  5. Click Next. The Configure Rule page will be displayed. Select Active Directory from the Attribute Store drop-down list.
  6. Enter the following values In the Mapping of LDAP Attributes to Outgoing Claim Types field:
    LDAP Attribute (Select or Type to add more) Outgoing Claim Type (Select or Type to add more)
    Given-Name first_name
    Surname last_name
    State-Or-Province-Name location
    Telephone-Number phone
    Email-Address Name ID
    Title job_title
  7. Click Finish once the values are added.
    mceclip15.png
  8. The Edit Claim Issuance Policy for Responsive page will be displayed. Click Apply, then click OK.
    mceclip16.png

Adding SAML Assertion Consumer Endpoints

  1. From the AD FS page, select the RPT name, right-click, and select Properties.
    mceclip42.png
  2. The Responsive Properties pop-up will be displayed. Select Endpoints.
    mceclip43.png
  3. Click Add SAML.
    mceclip44.png
  4. Select Post from the Binding drop-down list.
  5. Select 1 as the Index value.
  6. Enter https://app.rfpio.com/rfpserver/login/handle-saml-response in the Trusted URL field.
    mceclip45.png
    Note: Ensure the Default value is Yes for the 0 index.
    mceclip46.png
  7. Click Apply, then click OK.

4. Adding Custom Roles in the Claim Issuance Policy (Optional)

You have the option to add a custom role in the Claim Insurance Policy. A new LDAP attribute must be created prior to mapping custom roles in the Claim Issuance policy.

  1. From the AD FS page, click the RPT name, and then click Edit Claim Issuance Policy from the right navigation pane.
    mceclip34.png
  2. The Edit Claim Issuance Policy for Responsive page will be displayed. Click Edit Rule.
    mceclip35.png
  3. Enter responsiverole in the LDAP Attribute (Select or Type to add more) field, then enter role in the Outgoing Claim Type (Select or Type to add more) field.
    mceclip36.png
  4. Click OK. The Edit Claim Issuance Policy for Responsive page will be displayed.
  5. Click Apply, then click OK.
    mceclip37.png

Creating New Attributes (Optional)

Admins can use this feature to create custom user roles.

  1. Press the Windows key + R on your keyboard, then type MMC and click OK.
    mceclip18.png
  2. The Console1 – [Console Root] pop-up will be displayed. Click File and select Add/Remove Snap-in.
    mceclip19.png
  3. The Add or Remove Snap-ins pop-up will be displayed. Select Active Directory Schema from Available snap-ins section and click Add.
    mceclip20.png
  4. Click OK.
    mceclip21.png
  5. From the left navigation pane, click Active Directory Domains and Trusts > Attributes, then right click and select Create Attribute.
    mceclip22.png
  6. The Schema Object Creation pop-up will be displayed. Click Continue.
    mceclip23.png
  7. The Create New Attribute pop-up will be displayed. Enter the values as shown below:
    Common Name responsive_user_role
    LDAP Display Name responsive_user_role
    Unique X500 Object ID Enter the generate Object ID (described from Step 8 below)
    Syntax Unicode String (select from the drop-down)
  8. To generate an Object ID using VBScript (Microsoft Link), open the following link in any web browser, copy the VB script code, and paste it into Notepad: http://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06.
  9. Save the notepad file as "OIDGen.vbs" (enclosed with double quotes, else it will be suffixed with .txt after .vbs) name on the C: drive.
  10. Open command prompt and run the following script: Start > Run > Cmd.exe > CScript.exe C:\OIDGen.vbs.
    mceclip24.png
  11. Copy the OID string (dot separated numeric string) and paste it into the Unique X500 Object ID field.
    mceclip25.png
  12. Click OK.
  13. Click Classes from the left navigation pane, the select User, right-click, and select Properties.
    mceclip26.png
  14. The User Properties pop-up will be displayed. Click Attributes, then click Add.
    mceclip27.png
  15. Select the newly created attribute from the Select Schema Object pop-up and click OK.
    mceclip28.png
  16. The selected option will be displayed in User Properties - Optional. Click Apply, then OK.
    mceclip29.png
  17. Open Active Directory Users and Computers (by default, Users will be selected). Click ADFS User, then right-click and select Properties.
    Note: Only Administrators can make these changes.
    mceclip30.png
  18. The ADFS User Properties pop-up will be displayed. Click Attribute Editor, scroll down and select responsiverole, then click Edit.
    mceclip31.png
  19. Specify the role as Manager and click OK.
    mceclip32.png
  20. The value will be updated in the Attributes section. Click Apply and then OK.
    mceclip33.png
  21. Close the Active Directory Users and Computers pop-up.

Once the custom roles are created, you can add a custom role in the Claim Issuance policy.

Configuring SAML SSO in Responsive

  1. Go to Organization Settings > My Organization > Security > SSO/SCIM.
    • If the SAML SSO feature is not displayed, contact your account manager.
    • Multiple SSOs can be created for a single client instance. If this is required, open a support ticket to enable these.
  2. Turn on the SSO toggle and click Save.
  3. Click Add Authentication Method. The New SSO section will be displayed as shown below:
  4. Enter ADFS for the name.

  5. Click Upload Configuration File and upload the federated metadata file.
    Note: The federated metadata file can be downloaded from https://<server>/federationmetadata/2007-06/federationmetadata.xml.
  6. Click Validate.
  7. Once validated, turn on the ADFS toggle.
     

Using SAML to Log In to Responsive

Users can login to Responsive using SAML in two ways.

Login Using an Instance Specific URL

  1. Enter the following URL in your browser: https://<server>/adfs/ls/IdpInitiatedSignOn.aspx.
  2. Select the Sign In To One of the Following Sites radio button and select Responsive, then click Continue to Sign In.
    mceclip52.png
  3. Enter the user name and password, then click Log In to go to Responsive.
    mceclip53.png

Login to app.rfpio.com using SAML

  1. Enter your email.
    mceclip55.png
  2. Click Sign-in Using SAML.
    mceclip56.png

Was this article helpful?

/