In order to setup the federation, we need the following 3 steps:
- Create Relying Party Trust in your ADFS platform
- Configure claim Rules
- Create the federation in Smart Society
Based on the information collected in the previous step, we will create the federation on Smart Society
Create Relying Party Trust in your ADFS platform
You will need to make sure that you are able to access the ADFS platform as an administrator.
- Open the ADFS Management Console
- Click on Add Relying Party Trust
- Click Start on the first step
- Under Select Data Source
- Select Enter data about the relying party manually and click Next
- Select Enter data about the relying party manually and click Next
- Under Specify Display Name
- Enter an arbitrary name (such as “Smart Society Federation”) and click Next
- Enter an arbitrary name (such as “Smart Society Federation”) and click Next
- Under Choose Profile
- Leave the default selection (ADFS 2.0 profile) and click Next
- Leave the default selection (ADFS 2.0 profile) and click Next
- Under Configure Certificate
- Leave the default No encryption certificate and click Next
- Under Configure URL
- Check Enable support for the WS-Federation…
- Enter the following URL in the textbox and click Next
https://login.smart-society.io/login/callback
- Under Configure Identifiers
- Add a Relying party trust identifier with the following value and click Add and then Next
urn:auth0:smart-society
- Add a Relying party trust identifier with the following value and click Add and then Next
- Under Configure Multi-factor Authentication Now?
- Select I do not want to configure multi-factor authentication or Configure multi-factor authentication according to your requirements and click Next
- Select I do not want to configure multi-factor authentication or Configure multi-factor authentication according to your requirements and click Next
- Under Choose Issuance Authorization Rules
- Select Permit all users to access this relying party (unless you want to restrict access) and click Next
- Select Permit all users to access this relying party (unless you want to restrict access) and click Next
- Under Ready to Add Trust
- You can now review all your choices and settings and click Next when you are ready to add the trust
- You can now review all your choices and settings and click Next when you are ready to add the trust
- Under Finish
- Keep the check box Open the Edit Claim Rules dialog… checked and click Close
- Keep the check box Open the Edit Claim Rules dialog… checked and click Close
Configure claim Rules
In order for the federation with Smart Society to work, we need to receive the following claims:
E-Mail Address
Name
Name ID
Given Name
SurnameThe Name ID claim should hold a unique identifier for each user. To prevent compliance issues, we need a value that does not look like the email address or universal principal name.>
When we setup a federation using ADFS, we advise our clients to apply a custom rule to their configuration that maps the users object id into this field. ADFS sends the outgoing claim in Base64 format. Base64 strings will have characters like =, + and \. These special characters conflict within our identity platform, hence we would like to replace them with URI encoding characters. This can be achieved by below five custom rules:
- Send email, display name, given name, surname
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,displayName,givenName,sn;{0}", param = c.Value); - Fetch objectGUID
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("nameidentifier1"), query = ";objectGUID;{0}", param = c.Value); - Replace special character
c:[Type == "nameidentifier1"] => add(Type = "nameidentifier2", Value = RegExReplace(c.Value, "[=]", "3D"));
- Replace special character
c:[Type == "nameidentifier2"] => add(Type = "nameidentifier3", Value = RegExReplace(c.Value, "[+]", "2B"));
- Replace special character and send objectGUID
c:[Type == "nameidentifier3"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = RegExReplace(c.Value, "[/]", "2F"));
To add the custom rules, click Add rule
Select Send claims using custom rules from the drop down
Provide a descriptive name & copy-paste the rule
Repeat the step for remaining four rules.
Please make sure that you do not change the order of the rules. They will need to be processed as documented above.
Create the federation in Smart Society
Once the Relying party trust is created and the custom rules have been added, please share below information with us:
- Share the Federation metadata endpoint URL Metadata XML file
- All email domain names that you would like to use in this federation.
Once we have received your information, we will create the federation in the Smart Society platform. When that is done, we will inform you and you can verify the federation.