Follow the steps below to integrate with SAML SSO with ADFS
Step: 1
Log into Engagedly as a Site Administrator. Go to Integrations in Settings and click on SAML SSO.
Now click on ‘+Add’ and fill in your organization name. Once you’re done filling in, click ‘Save.
Now select the edit icon on the page that appears next.
The page is divided into two parts:
Now select the edit icon on the page that appears next.
- Information that you need to copy from here (Engagedly) and input in the Identity Provider(AD FS)
- Information that you need to copy from the Identity Provider and input into Engagedly
Step: 2
After you have successfully configured Active Directory Federation Services (ADFS) you are ready to set-up a connection with Engagedly. The following steps will help you set up AD FS.
Adding a Relying Party Trust
Open ADFS Management then select Relying Party Trust Folder, after that, from the action side bar on the right side, click add ‘Relying Party Trust’.
This opens a new wizard and a welcome screen, there click on Start to begin.
Here, you have to follow a series of steps (As listed on the left-hand side of the page) to complete the process.
- Select the last option Enter Data About the Party Manually from the Select Data Source screen and click next.
- On the Specify Display Name screen enter a recognizable display name and if you wish, add some notes also (optional). Click Next.
3. On the Choose Profile Screen select ADFS profile and click ‘Next’.
4. On the Configure Certificate screen leave the default values as they are and click next.
5. On the Configure URL screen, check Enable Support for the SAML 2.0 WebSSO protocol checkbox. In the service URL text box, copy and paste the ACS URL from the Engagedly SAML SSO page shown in STEP 1. Click next
6. On this screen you have to add a Relying Party Identifier. To do that, copy the Entity ID from the Engagedly SAML SSO page and paste it. Click next.
If you wish, you can configure multi-factor authentication on this screen. However, as it not related to this documentation we are skipping it and going forward to the next step.
7. On the Choose Issuance Authorization Rules screen, select the Permit all users to access this relying party radio button and click next.
The following steps will display an overview of the settings. Click close to exit and open the Claim Rule Editor.
Setting up Claim Rules
You have successfully created a Relying Part, now you need to create Claim Rules. The Claim Rule editor will pop up automatically once you close the editor for creating Relying Party.
Click ‘Add Rule’
Select Send LDAP Attributes as Claims from the dropdown menu. Click next.
On this screen, select Active Directory as attribute store, give any name to the rule, for example, you can name it Get Email Attributes. Select LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address. Click Finish.
Now we have to create another rule, for that:
- Click Add Rule.
- Select Transform an Incoming Claim as the claim rule template to use. Click next.
- Set any name like Email to Name Id. Set the Incoming claim type as E-mail Address (it must match the Outgoing Claim Type in the rule 1 set in step 2.2.3). The Outgoing claim type is Name ID and the Outgoing name ID format is Email. Check Pass through all claim values and click Finish.
To verify the claim rules edit the existing rules and click View Rule Language.
Rules should match below:
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]
=> issue(store = “Active Directory”,
types = (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”),
query = “;mail;{0}”, param = c.Value);
c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”]
=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”]
= “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”);
Setting the Trust Setting
You still need to configure few settings for the Relying Party Trust. To do so, open AD FS Management then select Relying Party Trust Folder. Right click on the newly created Relying Party Trust and click Properties.
Select the ‘Advanced’ tab and select SHA-1 in the drop down.
Select Monitoring tab and copy paste the ACS URL from Engagedly SAML SSO page into the text box labeled Relying Party’s federation metadata URL and then click test URL. If everything is fine, close the wizard
Setting up Engagedly
To set up Engagedly, you have to get two URL’s called Identity Provider Issuer and Identity Provider Single Sign-On URL and a Identity Provider X.509 Certificate from your AD FS.
To get the Identity Provider Issuer URL you have to download the metadata xml file from the metadata URL of AD FS. You can get the metadata URL from AD FS Management by following these steps – Service|Endpoints > Metadata > Type:Federation Metadata.
The url should be something like this https:///federationmetadata/2007-06/federationmetadata.xml. Once you have downloaded the file open it and look for entityId and copy the URL and paste it in beside Identity Provider Issuer in Engagedly SAML SSO page.
To set the Identity Provider Single Sign-On URL look for SingleSignOn Location in the AD FS metadata xml file and copy paste it beside Identity Provider Single Sign-On URL in the Engagedly page. Do not forget the slash at the end of the URL.
Now you have to get the Certificate from AD FS. To do that, open AD FS Management > Go to folder Certificate > right click on Token Signing > View Certificate > Go to tab Details > Then Copy to File.
In the wizard select Base-64 encoded X.509 and download the file. Open the file in a text editor like Notepad, copy the certificate and paste it beside Identity Provider X.509 Certificate in the Engagedly SAML SSO page.
STEP 4
At the Engagedly SAML SSO page click SAVE to save the setting.
Congratulations, you have successfully integrated your Engagedly account with ADFS!
