Setting up an ADFS server for use with Pressero SSO

Setting up an ADFS server for use with Pressero SSO

 

Pressero allows you to use accounts in your own Active Directory domain for Single Sign On. Once the user has logged in to their own intranet, the intranet can handoff seamlessly to the store site, using a special link, without throwing up the store login screen. Setting this up requires setting up an ADFS server in the client's Active Directory domain. Only the https port needs to be open from the internet to the ADFS server.

 

Here is how to set up the ADFS server. Before the ADFS server is configured, SSO must be configured for the site on the Pressero side. See the “Generic” section of the “Single Sign-On (SSO)” KB for that. 

 

*Also note at end of this document how you can use use ADFS advanced claim definitions to assign values to Pressero Fields.

 

Preparation

  1. Configure a Windows Server 2012 R2 machine (or VM). Make sure all Windows updates are installed.

  2. Make this server a member of your Active directory domain. It should not be a domain controller.

  3. Decide what the public IP address will be. Set up your firewall to map this public IP address and permit incoming HTTPS traffic.

  4. Decide what the FQDN of your ADFS server will be (the hostname that is visible to the Internet). (Below I am using adfs.aleyant.com.) 
     Important: This may not be the in same domain as your Active Directory domain. (In our example, the Active Directory domain is aleyantdns.com  but the public domain is aleyant.com.)
     Set up public DNS to map the public FQDN to your public IP. 

  5. Make sure you have an SSL certificate available that covers the public FQDN from step 4. You will need this certificate in PFX form (with key included).

  6. Download and unzip this file: Generic.zip . You will need the file Generic.CER in step 22.

  7. From the configuration of SSO in Pressero, you will have a URL like https://<yoursite>/sso/assertion/<a guid>. You will need this toward the end of the procedure.

Setting up the ADFS server role

  1. Start the Add Roles and Features wizard. Select the Active Directory Federation Services and the Web Server roles and install them. Reboot if required.
     

  2. When installation is done, you will see “Configuration required. Installation succeeded on <servername>.” Click the “Configure the federation service on this server” link. (If you had to reboot, you can reach this from Server Manager, select Tools > AD FS Management.)
     

  3. The Active Directory Federaton Services Configuration Wizard starts. On the first screen make sure “Create the first federation server in a federation server farm” is selected and click Next. 
     

  4. Specify an account with Active Directory domain administrator permissions and click Next.
     

  5. On the Specify Service Properties screen, select your SSL certificate. If you have not already imported it into IIS, you can import it from this screen. (Remember, this is the certificate for your ADFS server - not the certificate for your Pressero site, nor the GENERIC.CER that is used to sign SAML requests between the servers.)
     Also, put the public FQDN from step 4 in the text box as the Federation Service Name. Again, be careful to use the public FQDN, not the Active Directory FQDN for this machine: they may be different.
     Enter your company name as the Federation Service Display Name.
     Click Next.
     

  6. On the Specify Service Account screen, you can type a new name for a new Service account, which will be created in Active Directory; or you can specify one that already exists. After making the selection click Next.
     

  7. On the Specify Configuration Database screen, just leave the selection as Create a database on this server. Click Next. This step may take a minute.
     

  8. Review your options on the Review Options screen, and click Next.
     

  9. After the Pre-requisite Checks are done, click Configure.

  10. Configuration may take a minute. When it is done, click Close.
     

 

Setting up the Pressero site as a Relying Party Trust

  1. In Server Manager, choose Tools > AD FS Management.
     

  2. Expand Trust Relationships, click Relying Party Trusts, and click Add Relying Party Trust.
     

  3. Click Start to begin the wizard.  On the Select Data Source screen, choose “Enter data about the relying party manually” and click Next.
     

  4. For the display name, enter your site name or URL as desired. Enter any notes here that you wish. Click Next.
     

  5. On the Choose Profile screen just click Next.

  6. On the Configure Certificate screen, browse to the Generic.CER file we have provided. Click Next.
     

  7. Click Next to skip the Configure URL step.

  8. On the Configure Identifiers screen, enter only https://{hostname}
     No trailing slash and nothing after the hostname. Click Add and then click Next.

     

  9. Click Next to skip the Multi-Factor Authentication step.

  10. Click Next to accept the default rule, “Permit all users to access this relying party”. (If you need to restrict it to certain Active Directory users or groups, you can do it after the wizard finishes.)

  11. Review the data on the Ready To Add Trust screen, then click Next.

  12. Click Close when it is complete. The Edit Claim Rules dialog will open.
     

  13. The Transform rule will define which fields are returned from Active Directory to Pressero. Click Add Rule to begin.

  14. Leave the selection as “Send LDAP Attributes as Claims” and click Next.
     

  15. Give the rule a name, like “Return to Pressero”. 
     Select the Attribute Store “Active Directory.
     Add the four mappings as shown below. Then click Finish.
     

  16. If you wish to restrict this to certain Active Directory users or groups, you can use the Issuance Authorization Rules to do this. The default rule lets all Active Directory users use the SSO operation.

  17. Click OK to close the Edit Claim Rules dialog.

  18. Some final steps are necessary for the Relying Party Trust. Select the Trust you just added; right click it and choose Properties.

  19. Click the Signature tab. Click the Add button and browse to the GENERIC.CER you downloaded earlier.

  20. Click the Endpoints tab. Click the Add SAML button. Choose "POST" from the Binding dropdown. Paste the full URL you got from the Pressero admin page (https://<yoursite>/sso/assertion/<a guid>) into the Trusted URL box. Leave the Response URL blank, and click OK.

  21. Click OK to finish editing the Relying Party Trust properties.

  22. You are finished! At this point SSO should be working. Go to your site login page and test it.

  23. To skip the login page when going from your intranet to Pressero, use the URL from step 7 as part of your intranet (in a link, for example). When a browser goes to that page, Pressero begins the SSO process. If a user is already logged in to the intranet then this should take them directly to the home page of the site without another login being necessary.

 

Using ADFS advanced claim definitions to assign values to Pressero Fields

Pressero does not currently have a way to do processing of values. We can assign incoming values from any SAML claim to Pressero fields. We cannot make decisions like "if email matches this, set group to that." There is no current plan to add such processing abilities, because of current programmer time constraints.


However, Windows ADFS *does* have such scripting abilities. So by using ADFS advanced claim definitions you can produce rules like 'if email ends with rsg.com then pass security group "RSG" '. Here are some resources describing ADFS claims rule language:

This must be configured on the client's ADFS server, since that is the only machine that has access to the client's Active Directory.