ADFS 3.0 Configuration Example

    This page describes how to set up SAML SSO connection with ServiceChannel in ADFS 3.0.

    Configuring Connection via the Relying Party Trust Wizard

    1. Start the Relying Party Trust Wizard.

    2. Select Enter data about the relying party manually, and then click Next.

    3. Enter the trust display name, and then click Next.

    4. Select AD FS Profile, and then click Next.

    5. (Optional) Configure the token encryption certificate, and then click Next.

    6. Select both Enable support for the WS-Federation Passive protocol URL and Enable support for the SAML 2.0 WebSSO protocol. Enter the ServiceChannel SAML SSO URL, and then click Next.

    7. Under Relying party trust identifier, the default identifier is present. If necessary, enter other identifiers, and then click Next.

    8. Click Next to skip the multi-factor authentication setup.

    9. Select the appropriate authorization rule. This can be changed later.

    10. Review the configured settings before adding the relying party trust to the configuration database, and then click Next.

    11. Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close.

    12. In the Edit Claim Rules window, click Add Rule.

    13. In the Claim rule template drop-down list, keep the default Send LDAP Attributes as Claims option, and then click Next.

    14. Enter the claim rule name. In the Attribute store drop-down list, select Active Directory
    15. In the LDAP Attribute drop-down list, select E-Mail-Addresses. In the Outgoing Claim Type list, select Name ID.

      Note: Each claim rule will differ depending on attributes sent. In this example, the claim rule obtains the user's email address from the Active Directory and sends it as Name ID field of the SAML Assertion.

    16. Click Finish.

    The configuration is complete. Begin testing.

    Trust Properties Screenshots

    Testing the Configuration

    1. Open Internet Explorer and browse to https://<yourdomain>/adfs/ls/idpinitiatedsignon.aspx. The page with a drop-down list of all configured relying party trusts opens.
    2. Select the required relying party trusts and click Continue to Sign In. If the configuration is correct, you should be logged in.

    Troubleshooting

    Should you see the ServiceChannel login form, your connection is set up properly, but there is an issue with the configuration on SC side or wrong data are sent in the SAML assertion. Contact SC to debug.

    Creating a Direct Link

    You can create a direct link so that users do not need to select from a drop-down list.

    To do that, browse to https:// <yourdomain>/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://login.servicechannel.com