Introduction
Active Directory Federation Services (AD FS) allows your organization's users to authenticate seamlessly with HelloID and their other applications. This guide will walk you through the steps of configuring AD FS as an Identity Provider (IdP) for HelloID.
Install Active Directory Federation Services
You must first install and configure Active Directory Federation Services before using it as an Identity Provider for HelloID. Please refer to this Microsoft AD FS Deployment Guide for instructions and best practices. If you have already done this, you may move on to the next section.
Configure HelloID
Create or Import a Certificate in HelloID
Communication between the Identity Provider and HelloID must be encrypted. To do this, we can either import a certificate into HelloID, or create a self-signed certificate. For this example, we will create a self-signed certificate.
- On the HelloID Administrator Dashboard, navigate to Settings > Certificates.
- Click Create Self-Signed Certificate.
- Enter the fields for the new certificate and press Save to continue. Learn more about creating and using certificates here.
- Click the Details link of the new certificate.
- Click the Download button to download a copy of the certificate.
- Copy the downloaded certificate to the AD FS server in a new folder (e.g., C:\HelloID Certificates).
Add the Identity Provider to HelloID
- On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers.
- Click Create Provider.
- Find the Active Directory Federation Services Identity Provider, and click the Add button next to it.
- On the Portal Information tab, you have a handful of configuration options. View a complete configuration reference here.
- Make note of the Consumer URL value, as you will need it later.
- Disable Require SAML response signature.
- Enable JIT if you wish (recommended).
- Set the other options as desired.
- Click Next.
- The Configuration tab lets you specify the details of your AD FS IdP. Configure the following required settings and click Next. You may configure other optional settings as desired.
- Login URL: Enter the URL of the AD FS site's /adfs/ls/ endpoint.
- IMPORTANT: Verify that the URL ends with a forward slash.
- Request Certificate: Select the certificate that you created or imported in HelloID.
- Login URL: Enter the URL of the AD FS site's /adfs/ls/ endpoint.
- The Client Restrictions tab will allow you to show or hide this IdP from the login screen based on IP or source restrictions. For example, because the IIS web server must be accessible to client machines, you may only want to show this IdP if the clients are coming from your organization's own IP address. Configure this tab as you see fit and click Save. View more information about client restrictions here.
Configure Active Directory Federation Services
- On the AD FS server, open the AD FS Management console.
- Click Add Relying Party Trust...
- The Add Relying Party Trust Wizard will open. At Welcome page, click Start.
- On the Select Data Source page, select Enter data about the relying party manually. Click Next to continue.
- Specify Display Name page, enter a recognizable Display name and click Next.
- On the Configure Certificate page, click Browse.
- In the file explorer that appears, find the certificate that you exported from HelloID. Select the certificate file and click Open.
- Verify the certificate's details that appear and click Next.
- On the Configure URL page, select Enable support for the SAML 2.0 WebSSO Protocol. Then, paste the Consumer URL value from the IdP Portal Information page in HelloID. Click Next to continue.
- On the Configure Identifiers page, enter your HelloID portal URL into the Relying party trust identifier text box and click Add.
- Once the relying party trust identifier has been added, click Next.
- On the Choose Access Control Policy page, select Permit Everyone and click Next.
- On the Ready to Add Trust page, verify that all settings are correct and click Next.
- On the Finish page, ensure that Configure claims issuance policy for this application is selected, and click Close.
- The Edit Claim Issuance Policy window will appear. Click Add Rule... This will bring up the Add Transform Claim Rule Wizard.
- On the Select Rule Template page, select Transform an Incoming Claim from the Claim rule template dropdown. Click Next to continue.
- On the Configure Rule page, enter the following settings.
- Claim rule name: Name ID
- Incoming claim type: UPN
- Outgoing claim type: Name ID
- Outgoing name ID format: Unspecified
Note: In HelloID, the Windows account name is stored in "Name ID" attribute. In order to make a claim work from AD FS, a transformation must be applied to the claim.
- Click Finish to add the rule.
- Click Add Rule... to add another rule.
- On the Select Rule Template page, select Send LDAP Attributes as Claims from the Claim rule template dropdown. Click Next to continue.
- On the Configure Rule page, enter the following settings:
- Claim rule name: Additional Attributes
- Attribute store: Active Directory
- Underneath Mapping of LDAP attributes to outgoing claim types, enter the following settings. Not all of these listed values are selectable, so you will need to enter them manually.
LDAP Attribute Outgoing Claim Type Given-Name givenName Surname sn E-Mail-Addresses email objectSid objectSID User-Principal-Name userPrincipalName manager manager SAM-Account-Name sAMAccountName - Click Finish to add the claim rule.
- Click OK to close the Edit Claim Issuance Policy window.
- Right click on the newly created Relying Party Trust and select Properties.
- Go to the Signature tab and click Add.
- In the file explorer that appears, find the certificate that you exported from HelloID. Select the certificate file and click Open.
- Click OK to close the window.
Test the Configuration
The configuration is now finished and may be tested on a computer that has access to both the AD FS as well as HelloID.
Launch a browser and navigate to your HelloID portal's login page. You should now see a new login option for the Active Directory Federation Services IdP, as shown below.
Click on the Active Directory Federation Services login, and you will be redirected to the AD FS login page. Enter your domain credentials. There will be a brief redirect, and you will be routed to the HelloID user dashboard, logged in as the Windows user. The name of the user will be displayed in the upper-right corner of the HelloID Dashboard.