Configuring ADFS for EdSmart SAML Single Sign-On (SSO) - How to Add Relying Party Trust and Add Rules

Owned by
Manish Kumar (Unlicensed)
Last updated: Oct 08, 2021 by
Kedi Peng (Unlicensed)
3 min read


Add Relying Party Trust

  1. In Server Manager, click Tools, and then select AD FS Management.



2. In the folder tree on the left, under AD FS, right click Relying Party Trusts and select add Relying Party Trusts.



3. select Claim Aware and click next/start

4. choose "import data about Relying party from a file". use file at https://www.dropbox.com/s/gtnoz6bg0mwjixf/metadata.xml?dl=0 (please download).Click next.


5.  Add "EdSmart_RelyingParty" as the display name. 

6. Give permissions to the Group. Click next/finish.

    Here the group will be any group that needs to use SSO. Make sure that all users who will use SSO, are members of this group.

7. Finish. you can see the relying party added.


Add Rules

  1. In Server Manager, click Tools, and then select AD FS Management.
  2. Click on Edit claim issuance policy...

 

3. In the opened window, click add

 




4. Select Send Group Membership as a claim





5. Fill in values and finish

  • Claim Rule Name: MembershipRule
  • user`s group: Browse that group you want to allow to login using SSO.
  • Outgoing claim type: Select Role
  • Outgoing claim value: staff




6. Rule is added. Now double click it. 



7. Click on View Rule Language


8. Copy the claim rule language text. and save it in notepad. we need it in next step.

click ok. and comeback to Edit claim issuance policy window.



9. Add another Rule. 



10. Select Send Claims Using a Custom Rule



11.

  • Claim rule name: CustomMembershipRule
  • Custom rule: paste the text that we copied from previous step.

     now we need to replace the highlighted URL to simply role(see next screenshot)


12. "URL" replaced with "role". Click finish.



13. you can remove the previously created MembershipRule



14. We need to add another rule. Select Send Claims Using a Custom Rule


15.  Fill details and click finish.

  • Claim rule name: AttributeDataRule
  • custom rule: paste below text(its a custom rule) :
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("UserID", "mail", "givenName", "sn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";mail,mail,givenName,sn,mail;{0}", param = c.Value);



16. Finally, provide EdSmart with a test username and password that we can use to verify and troubleshoot the SSO integration, also share your metadata to us and we'll config on our side.