This page describes steps to be done in ADFS 3.0 to set up SAML SSO connection with ServiceChannel.
How to Configure using the Relying Party Trust Wizard
- Start the Relying Party Trust wizard.
- Select Enter data manually, and then click Next.
- Enter Trust Display Name and (optionally) Notes, and then click Next.
- Select AD FS Profile, and then click Next.
- (Optional) Configure the Token Encryption Certificate, and then click Next.
- Select both Enable support for the WS-Federation Passive protocol URL and Enable support for the SAML 2.0 WebSSO protocol. Enter the ServiceChannel SAML SSO URL, and then click Next.
- Under the Relying party trust identifier section, the default is already present. Enter other identifiers, as necessary, and then click Next.
- Click Next to bypass Multi-factor authentication.
- Select the appropriate authorization rule. This can be changed later.
- Lastly, you can review the configured setting before committing them.
- Click Finish to open the Claims Rule configuration.
- When the Claims Rule windows appears click ‘Add Rule.’
- Keep the default ‘Send LDAP Attributes as Claims’, click Next.
- Enter Claim Rule name. Select ‘Active Directory’ as the Attribute Store. Each claim rule will differ depending on what attribute(s) are being sent.
In this example we are sending two claim rules. The first claim rule obtains the users email address from Active Directory.
In the second rule, we will drop the email address suffix and send the final claim as the users email name only (no Domain). SCUser@MyCompany.com becomes SCUser and the assertion claim is sent.
- Click Add Rule again. This time we are selecting ‘Send Claims Using a Custom Rule’.
- In this custom rule we are taking the email address from the previous rule, dropping the email suffix to obtain the final claim assertion which is the users email name without the domain. For example, SCUser@MyCompany.com becomes SCUser and the claim is sent. This example required a combination of Windows Claim Rule Language and RegEx manipulation.
- There should now be two claim rules and the configuration is complete. Begin testing!
Trust properties screenshots:
How to test the configuration:
- Open Internet Explorer and browse to https://<yourdomain>/adfs/ls/idpinitiatedsignon.aspx.
- This opens a generic page with a drop down list of all Relying Party Trusts configured.
- Select the one you want to log in to and click on Continue to Sign In.
- When configured properly, you will be logged in.
If you see ServiceChannel login form, your connection is set up properly but there is an issue with configuration on SC side or wrong data sent in SAML assertion. Contact SC to debug.
Creating a Link to Directly Connect
To create a direct link so users do not need to select from a drop down list, browse to https:// <yourdomain>/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://login.servicechannel.com