This article outlines how to set up SAML + ADFS -based Single Sign-On for Genea using Active Directory as your Identity Provider. We support many of IdP initiated SSO one of which is a self-hosted Active Directory Federation Services (ADFS) server.
ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
How to Configure Your Active Directory Account
To use ADFS to log in to your Genea account, you need the following components:
- An Active Directory instance where all users have an email address attribute.
- A Genea account.
- A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.
- An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
- If you're using host mapping in your Genea instance, an installed certificate for hosted SSL.
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article.
When you have a fully installed ADFS installation, note down the value for the "SAML 2.0/W-Federation" URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.
Step 1 - Adding a Relying Party Trust
- At this point you should be ready to set up the ADFS connection with your Genea account. The connection between ADFS and Genea is defined using a Relying Party Trust (RPT).
- Select the Relying Party Trusts folder from ADFS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.
- In the Select Data Source screen, select the last option, Enter Data About the Party Manually.
2. On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.
3. On the next screen, select the ADFS FS profile radio button.
4. On the next screen, leave the certificate settings at their defaults.
5. On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://login.sequr.io. Note that there's no trailing slash at the end of the URL.
6. On the next screen, add a Relying party trust identifier of https://login.sequr.io.
7. On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.
8. On the next screen, select the Permit all users to access this relying party radio button.
9. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.
Step 2 - Creating claim rules
- Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard.
- To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
2. On the next screen, using Active Directory as your attribute store, do the following:
- From the LDAP Attribute column, select E-Mail Addresses.
- From the Outgoing Claim Type, select E-Mail Address.
3. Click on OK to save the new rule.
4. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
5. On the next screen:
- Select E-mail Address as the Incoming Claim Type.
- For Outgoing Claim Type, select Name ID. 3. For Outgoing Name ID Format, select Email.
- Leave the rule to the default of Pass through all claim values.
6. Finally, click OK to create the claim rule, and then OK again to finish creating rules.
Step 3 - Adjusting the trust settings
- You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected.
- In the Advanced tab, make sure SHA-256 is specified as the secure hash algorithm.
2. In the Endpoints tab, click on add SAML to add a new endpoint.
3. For the Endpoint type, select SAML Logout.
4. For the Binding, choose POST.
5. For the Trusted URL, create a URL using:
- The web address of your ADFS server
- The ADFS SAML endpoint you noted earlier
- The string "?wa=wsignout1.0"
- The URL should look something like this:
6. Confirm you changes by clicking OK on the endpoint and the RPT properties. You should now have a working RPT for Genea.
Your instance of ADFS may have security settings in place that require all Federation Services Properties to be filled out and published in the metadata. Check with your team to see if this applies in your instance. If it is, be sure to check the Publish organization information in federation metadata box.
Configure Your Genea Dashboard
- Login to your Genea dashboard and navigate to the "Integrations" page. Under the Single Sign-On SAML integration box, click "Install".
2. Configure the values that you obtained earlier.
- Enter your Identity Provider Single Sign-On URL.
- Drag and drop or manually enter the Certificate you downloaded. To download the certificate use the below command
- C:\> Get-AdfsCertificate Look for the SHA256 thumbprint of the Token-Signing type certificate.
3. Click on "Install" to save the data
At this point, SSO has been enabled for all of your office admins and employees.
Exempting Users From Single Sign-On
There may be cases where you want to exclude certain users from the single sign-on process. For example, you may want to send a mobile key to vendors or contractors who are not on your Identify platform. Fortunately, it's easy to add an SSO exemption with Genea once you have enabled your SAML integration.
- Go to Integrations > SAML Integration > Exempted Users
- Under your SAML integration, click on the 'New' button. Search and add any existing user to exempt them from SSO.
- If you have already assigned a mobile key prior to adding the user to the SSO exemption, then please go to user's profile and click on the "Resend Sign-up Email." This time the user will receive a notification with their registration link to sign up.
SSO Back Door URL
In some cases, there might be a mistake in the SAML configuration – or something changes in your SAML IDP endpoints. In any case, you do not want to be completely locked out. Having a back door available for Admins to use if they become locked out of their system is extremely important.
You can enable a SSO back door as shown below. The 'SSO Back Door' URL will only works for Administrators. The Genea 'SSO Back Door' URL is : https://login.sequr.io/?sso=false
How to Disable Single Sign-On
To disable SAML SSO, navigate to the "Integrations" tab on your Genea dashboard. Click "Manage" under the Single Sign-On SAML integration box. Next click on the "Uninstall".
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Genea Support Team via live chat in your Genea web app. You can also contact us via email at firstname.lastname@example.org.