Active Directory Federation Service (AD FS) allows users to access multiple web applications across organizational boundaries using a single login credential. Admins can seamlessly integrate users from AD FS to Engagedly, which offers integrations for single sign on (SSO). Learn more in Overview of Integrations.
Prerequisites:
- The users of AD FS should have first names, last names, and email IDs saved in the AD FS portal.
- Install AD FS on your Microsoft server.
Follow the steps to integrate AD FS with Engagedly:
Navigate to Settings > Integrations.
- Click SAML Single Sign On.
- In the SAML SSO pop-up, click ADD.
- In the ADD SAML SSO pop-up, type the Identifier Name as required and click SAVE.
After you save, the system generates the ACS URL and Entity ID.
Note: Use the ACS URL and Entity ID in steps 12 and 13, respectively, to configure basic SAML.
4. In the Windows Server Management, select Tools, open AD FS Management, and select the Relying Party Trust folder.
5. On the right pane, click Add Relying Party Trust in the Actions field.
6. On the Welcome page, click Start to begin the setup wizard.
7. On the left pane, click Select Data Source, select the Enter data about the party manually option, and click Next.
8. On the Specify Display Name window, enter the display name as required and click Next.
Note: You can add notes after entering the display name, which is optional.
9. On the Choose Profile window, select AD FS profile and click Next.
10. On the Configure Certificate window, click Next.
11. On the Configure URL window, select Enable support for the SAML 2.0 WebSSO protocol.
12. Copy the ACS URL generated in step 3 on the Engagedly portal, paste it into the Relying party SAML 2.0 SSO service URL field, and click Next.
13. Copy the Entity ID generated in step 3 on the Engagedly portal, paste it into the Relying Party Identifier field, and click Next.
If required, you can configure multi-factor authentication. However, you can skip it as it is not related to this setup.
14. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and click Next.
15. On the Choose Issuance Authorization Rule window, select Permit all users to access this relying party radio button and click Next.
16. Click Close to exit.
You have successfully created a Relying Party Trust. Now, you have to create the claim rules.
17. Click Add Rule.
18. In the Claim rule template drop-down menu, select Send LDAP Attributes as Claims and click Next.
19. Type a name in the Claim rule name field as required.
20. In the Attribute store drop-down menu, select Active Directory.
21. Select E-Mail-Addresses in the LDAP Attribute and Outgoing Claim Type fields, and click Finish.
22. Click Add Rule to create another rule, which is mandatory.
23. In the Select Rule Type window, select Transform an Incoming Claim in the Claim rule template drop-down menu, and click Next.
24. Type a name in the Claim rule name field as required.
25. In the Incoming claim type field, select E-mail-Address, which must match the Outgoing Claim Type in rule 1.
26. Set the values Name ID in the Outgoing claim type and Email in the Outgoing name ID format fields.
27. Select Pass through all claim values and click Finish.
28. You have to configure certain settings for the Relying Party Trust. Right-click the newly created Relying Party Trust and select Properties.
29. Select the tab Advanced and select SHA-1 in the drop-down menu.
30. Select the tab Monitoring and copy the ACS URL generated in step 3 on the Engagedly portal.
31. On the AD FS Management, paste it into the Relying Party’s Federation Metadata URL field and click Test URL.
You can close the wizard if the configuration settings are correct and it works well.
32. Download the metadata XML file from the metadata URL on AD FS.
Note: You can get the metadata URL on AD FS by following: Select Service/Endpoints > Metadata > Type: Federation Metadata.
33. Open the downloaded XML file and copy the Single Sign On URL.
34. On the Engagedly portal, in the EDIT SAML SSO pop-up, paste the Single Sign On URL in the Identity Provider Single Sign On URL field.
35. Copy the Relying Party Trust Identifier from AD FS and on the Engagedly portal, in the EDIT SAML SSO pop-up, paste it into the Identity Provider Issuer field.
36. In the AD FS Management, select the AD FS folder, select the Services folder, and select the Certificates folder.
37. In the Token-signing field, double-click the certificate.
38. On the Certificate pop-up, open the Details tab, select Copy to File, and click OK.
39. In the Certificate Export Wizard pop-up, click Next.
40. Select the format you want to use Base-64 encoded X.509, and click Next.
41. Click Browse to specify the location where you want to export the certificate, and type the name as required.
42. Click Save in the Save pop-up, click Next, and click Finish in the Certificate Export Wizard pop-up.
43. Open the downloaded certificate in a text editor and copy the entire content, including the ----- BEGIN CERTIFICATE-----and----- END CERTIFICATE----- lines.
44. On the Engagedly portal, in the EDIT SAML SSO pop-up, paste the certificate content into the Identity Provider X.509 Certificate field and click SAVE.
You have successfully integrated AD FS with Engagedly for single sign on (SSO).
45. Click Test Connection to test the integration.
The AD FS users should exist on the Engagedly portal with their same email ID to access single sign on (SSO) on Engagedly.