SSO

Active Directory Federation Services

Customer's on Performance plan and above can set up ADFS SSO with ProdPad. This will allow your AD users to log in to ProdPad without having to enter a password in ProdPad. 

In ADFS

Create a Claims aware relying party trust

  1. In Server Manager, click Tools, and then select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. On the Welcome page, choose Claims aware and click Start.
  4. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.
  5. On the Specify Display Name page, enter a name in Display name i.e.  ProdPad, and then click Next.
  6. On the Configure Certificate page, find and add your certificate, click Next.
  7. On the Configure URL page, Select the Enable support for the SAML 2.0 WebSSO protocol check box. Under Relying party SAML 2.0 SSO service URL, enter https://api.prodpad.com/api/v2/sso/saml/acs then click Next.
  8. On the Configure Identifiers page, add https://api.prodpad.com/api/v2/sso/saml/metadata to the list, and then click Next.
  9. On the Ready to Add Trust page, review the settings, and then click Next.
  10. On the Finish page, click Close.

Alternatively, create a claims aware Relying Party Trust using federation metadata

  1. In Server Manager, click Tools, and then select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. On the Welcome page, choose Claims aware and click Start.
  4. On the Select Data Source page, click ‘Import data about the relying party published online or on a local network’. In ‘Federation metadata address (host name or URL)’, https://api.prodpad.com/api/v2/sso/saml/metadata  and then click Next.
  5. On the Specify Display Name page, enter a name in Display name, i.e. ProdPad and then click Next.
  6. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party or Deny all users access to this relying party, and then click Next.
  7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.
  8. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box.

Create claim rules

Once the relying party trust has been created, the claim rule editor opens by default

  1. To create a new rule, click ‘Add Rule’. Create a ‘Send LDAP Attributes as Claims’ rule.
  2. On the next page, using ‘Active Directory’ as your attribute store, do the following:
    1. Select ‘E-Mail Addresses’ in the LDAP Attribute column.
    2. Select ‘E-Mail Address’ in the ‘Outgoing Claim Type’
  3. Click ‘OK’
  4. Click ‘Add Rule’ and select ‘Transform an Incoming Claim’ for the claim rule template
  5. On the next page:
    1. For the ‘Incoming Claim Type’ select ‘E-mail Address’.
    2. For ‘Outgoing Claim Type’, select ‘Name ID’.
    3. For ‘Outgoing Name ID Format’, select ‘Email’.
    4. Leave ‘Pass through all claim values’ set as the default.
  6. Click ‘OK’ to create the claim rule, and ‘OK’ again to finish.

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select ADFS from the "Add authentication" dropdown.
  3. Copy Into the field "Sign-In URL" in ProdPad, your SAML Entity ID/URL
  4. Copy into the field "ACS Http Endpoint" in ProdPad, your SAML Single Sign-On Service URL
  5. Copy into the field "Logout URL" in ProdPad your Sign Out URL
  6. Paste the text of your X.509 certificate into the X.509 field.
  7. Add in your domain.
  8. Click save.
  9. You'll be sent a link via email that you need to click on or paste into your browser in order to verify that the domain is valid. Once that is done the authentication set up will become active and your users can start using Active Directory to login to ProdPad.

Provisioning

ADFS needs some changes to the claim rules to enable role provisioning with ProdPad.

ProdPad requires an attribute in the SAML assertion of User.ProdpadRole with the value of either admin, editor and reviewer.

How you achieve this is up to you, whether by group or direct assignment. If no value is supplied the users role will default to reviewer.

You can read about how to send claims using custom rules here - 

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-claims-using-a-custom-rule 

Comments