Setup UniversitySite with ADFS SAML Authentication
Note: If you are considering switching to this SSO solution instead of the out of the box UniversitySite SSO, please contact Lawren Finley to find out if it's included with your subscription.
NOTE: You can test your configuration without interrupting the existing login experience for your production users by following these instructions
https://docs.universitysite.com/article/579-how-to-test-saml-configuration-without-interrupting-production
- First you must go to the “Login Settings” page in UniversitySite. (Make sure you are in InstructorSite. If not, click on the left-most dropdown list at the top of the page and click on “InstructorSite”). Your page in UniversitySite should look like this now.
- Now, you will drop down the menu under your name at the top right-most drop-down and click on “Global Settings”.
- Now you will see the “Global Settings” page, scroll to the bottom of this page and click on “Login Settings”.
- You should now see a page that looks like this. Select Use ADFS
- Expand the SAML Setup for Production Environment section. Scroll down on this page until you can see these settings. You will copy and paste them into your ADFS settings in the following steps.
Important:! If you changed the subdomain to match our suggestion (it should match) then the URLs you copy in this step will also change. Also, ensure the URLs are copied and used to preserve the case since this is case-sensitive in ADFS. - Now on your ADFS server, open the AD FS Management tool and click on “Add Relying Party Trust…”
- Ensure that the “Claims aware” radio button is selected, then click “Start”.
- Now, in the “Add Relying Party Trust Wizard”, select the “Enter data about relying party manually” radio button, then click next.
- On this panel, you will enter the display name for UniversitySite and any notes you may want to add, then click next.
- On the following panel, you will add the certificate that UniversitySite uses to sign and encrypt its messages to ADFS. Use the Browse button to select it.
- You can download the certificate you need to use here from your UniversitySite browser. There is a button named “Download UniversitySite’s Cert” on your UniversitySite browser from step 5 of this document. Download the UniversitySite Cert and save it on your ADFS computer. Now browse to the certificate you just downloaded and open it. This certificate is only used to allow ADFS to decrypt data sent to it from UniversitySite.
- After opening the certificate file in the previous step, you should something like this. If so, click next.
- Now, we need to select the “Enable support for the SAML 2.0 WebSSO protocol” checkbox and then enter the Relying party SAML 2.0 SSO service URL. You can copy this URL from your UniversitySite browser. There is a button named “Copy URL” under the “UniversitySite's SSO URL” setting on your UniversitySite browser from step 5 of this document. Click “Copy URL” and then paste it into this ADFS setting. Finally, click next.
- On this panel, we need to add the “Relying party trust identifier” for UniversitySite. You can copy this URL from your UniversitySite browser. There is a button named “Copy URL” under the “UniversitySite's Identifier” setting on your UniversitySite browser from step 5 of this document. Click “Copy URL” and then paste it into this ADFS setting.
Click Add and then modify the URL to remove the s from https and add it again so you end up with two URLs, one with https, and the other without, then click next. - On the following panel, you will likely want to select “Permit everyone” but you could probably choose a different access control policy if you need to. Select your desired policy and then click next.
- This panel summarizes what we’ve done so far, just click next.
- On this panel, we see that the relying party trust was successfully added. Now, we need to make sure the “Configure claims issuance policy for this application” checkbox is checked and then click close.
- This panel should popup on your screen (it will probably be behind other windows so you might have to find it) Click on the “Add Rule…” button.
- On this panel, ensure that “Send LDAP Attributes as Claims” is selected and then click next.
- Type in whatever claim rule name you want, then:
a. Select “ Active Directory” from the “Attribute Store” dropdown list.
b. Under “Mapping of LDAP attributes…”
i. Select “ SAM-Account-Name” from the first dropdown list on the left.
ii. Select “ Name ID” from the first dropdown list on the right.
iii. Select “ E-Mail-Addresses from the second dropdown list on the left.
iv. Select “ E-Mail-Address from the second dropdown list on the right.
c. Click finish. - On this summary panel, just click OK.
- Now, we need to make a few tweaks to what we just setup, so select the University relying party trust and then click on Properties or just double click UniversitySite.
- On this panel, click on the Signature tab.
- Now, click on the Add button and browse to the certificate file for UniversitySite (this is the same certificate that you downloaded and saved to the ADFS computer in step 11) and open it. (Just like you did back in step 10-11 because that certificate is also used for signing items sent by UniversitySite to ADFS.)
- Now you should see the certificate has been added to the Signature tab. First, click on the Apply button to save this change and then click on the Endpoints tab so we can add the UniversitySite logout URL.
- On this panel, click on the “Add SAML” button.
- On this panel, we are specifying the UniversitySite SAML Single Logout URL.
a. Select the “ SAML logout” endpoint type
b. Enter the “ Trusted URL”. You can copy this URL from your UniversitySite browser. There is a button named “Copy URL” under the “UniversitySite's SLO URL” setting on your UniversitySite browser from step 5 of this document. Click “Copy URL” and then paste it into this ADFS setting.c. Click OK.
- Now, we are done with adding UniversitySite to ADFS, just click OK to close the panel.
- UniversitySite needs one more thing from ADFS before we can connect: the public key certificate that ADFS will use to talk to UniversitySite. First, let’s find the certificate that ADFS uses for signing items.
- You will need to export this ADFS token signing certificate’s public key so you can add it to UniversitySite later. You must export it as a Base-64 encoded X.509 (.CER) file. You can open this type of file in notepad and it will look something like this:
-----BEGIN CERTIFICATE-----MIIC5jCCAc6gAwIBAgIQW1KPS0ZHM7FCCsyIQegFMTANBgkqhkiG9w0BAQsFADAv
…
QV1EtG8YvQgM4J0ZchIWkIHhmKAJAVOlr8Q=
-----END CERTIFICATE------ Select Certificates from the Service folder
- Select the Token-signing certificate
- View the Certificate from the Actions panel on the right
- Click on the Copy to File button.
- Click on the Next button.
- First, select the Base-64 encoded X.509 (.CER) option, then click on the Next button.
- First, click on browse and pick a place where you want to save the certificate file, then click on the Next button.
- Click on the finish button to export the certificate.
- Now, we are ready to configure UniversitySite to perform login and logout with ADFS SAML. Go back to your UniversitySite browser window that you opened in step 3 of this document and make the following settings changes:
- Select “ Use ADFS” if you didn't already in step 4.
- Verify your UniversitySite subdomain. Typically, the default value is the correct value. Look at your UniversitySite URL. If your URL looks like this “https://X.universitysite.com/UniversitySiteX”, your subdomain is X. This usually is your company name. Do not change this value without first consulting the UniversitySite support team. If this value is incorrect, single sign-on will likely fail. How to find your ADFS Provider URLs for copying into UniversitySite
-
How to find your ADFS Provider URLs for copying into UniversitySite1) First open the “AD FS Management” tool on your ADFS server. Now right-click on “ Service” folder and then click on “ Edit Federation Service Properties”.2) Now, you will see a popup that looks something like this. The “Federation Service Identifier” is what UniversitySite needs for its “Provider’s URL” setting.
Note: The Provider's URL should be the only one using HTTP of those you paste into UniversitySite
3) Next, we need to find the Provider’s SSO and SLO URL for UniversitySite. After closing the popup above, you can find the “Endpoints” folder and look for the “SAML 2.0/WS-Federation” item. Here you will find the “URL Path” that is needed to determine the UniversitySite settings. You will need to do a little mental effort on this to create the correct value for UniversitySite. You will start with the “Federation Service Identifier” from the previous step (for example: http://fs.profiscience.com/adfs/services/trust). Then you will replace the “adfs/services/trust” part with the “adfs/ls” part from below and come up with something like this https://fs.profiscience.com/adfs/ls (this is the correct combination for this example). This value is the correct value for both the Provider’s SSO and SLO URL in UniversitySite.
Important: both the Provider's SSO and SLO URLs should be HTTPS
-
Enter the ADFS signing certificate text that you exported in the previous step. Copy and paste after opening that .cer file in notepad into the Provider's Cert field and Click on the “ Save Settings” button on the left,
- Now, you should be able to logout and then log back in using ADFS as your ID provider. Your email address must already exist as a user in UniversitySite in order to successfully login.
- If there are any problems, you can look at the error messages in the ADFS event log which, believe it or not, can provide insight as to what is set up wrong.