Set up AD FS as identity provider (IdP) for seamless logins for learners
When you set up AD FS (Active Directory Federation Service) with SAML for your organization, all users gain a seamless experience in their working environments, without stopping to sign in to different workspaces.
Users can sign in to their accounts, and access both internal software like their desktop tools and web-based applications like LearnUpon portals without signing in multiple times.
Availability: all customers using AD FS with SAML
About Active Directory Federation Service, aka AD FS
Active Directory Federation Service (AD FS) lets you securely share digital identity and rights across security and enterprise boundaries. AD FS extends your single sign-on (SSO) functionality from one organization to Internet-facing applications. This service gives customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
See: Active Directory Federation Services Overview
In this setup process you’re collecting information to create trusted connections between the AD FS server and LearnUpon.
Prerequisites
Setting up AD FS requires:
- SAML set up in your portal. See Set up SAML SSO for your portal
- on the customer side: a working Active Directory AD FS server
- The AD FS server must be public facing and accessible using the customer's IdP SSO Target URL
- on the AD FS server, you need to configure:
- Relying Party Trust
- Claims Rule(s) - (Minimum of the email address or username sent as a Name ID)
- SHA1 or SHA256 Fingerprint (From the Token Decrypting Certificate thumbprint)
- optionally: loginToRp feature
Access permissions
This process requires:
- admins with full permissions for the top-level portal: can set up AD FS
- admin access to your organization’s Active Directory AD FS server
Step 1: Retrieve IdP SSO Target URL from AD FS
From the customer’s AD FS server > Federation Services Properties, find server domain.
Combine the domain, such as adfs.myserver.com with adfs/ls/IdpInitiatedSignOn.aspx to create the IdP SSO Target URL, aka the Sign On URL.
Example URL format: https://<host>:<port>/adfs/ls/IdpInitiatedSignOn.aspx
Example URL: https://adfs.myserver.com/adfs/ls/IdpInitiatedSignOn.aspx
The following screenshot shows the Federation Service Properties dialog with a sample domain highlighted.
Step 2. Retrieve the SHA1 or SHA256 certificate from the AD FS server
Copy the contents of the certificate to a safe location to use later.
You can access the certificate 1 of 2 ways.
- from the powershell, use
Get-AdfsCertificate
command to generate a thumbprint, aka fingerprint. See Get-AdfsCertificate from Microsoft's support site
The following screenshot shows a powershell screen with a token-signing certificate, providing a thumbprint.
- use the MMC to add the AD FS Snap In.
From AD FS > Service > Certificates right-click the Token-signing entry and select View Certificate.
The following screenshot shows the directory path and View Certificate option.
From the Certificate dialog that opens, select Details, then select the Thumbprint entry.
Select and copy the Thumbprint.
Step 3. Create the Relying Party Trust
This process sets up a “trusted” connection between the AD FS server and LearnUpon, by providing the server with detailed information about your LearnUpon portal.
Note: A relying party trust is required for each portal you connect to AD FS SAML.
Follow Microsoft’s instructions to Create a Relying Party Trust.
The following steps provide highlights for a typical LearnUpon connection, but do not replace the Microsoft product documentation.
From AD FS create a Relying Party Trust by selecting the AD FS folder.
Right-click to access Add Relying Party Trust to open the associated wizard.
In the Add Relying Party Trust Wizard follow the guided steps.
On Welcome, select Claims aware > Start as shown in the screenshot.
Tip: for all following steps, select Next to proceed.
For Select Data Source select Enter data about the relying party manually, as shown in the following screenshot.
For Specify Display Name, enter a Display name for the relying party. The following screenshot shows an example for a LearnUpon portal.
NOTE: This name is for your purposes only and can be set to any name you like. It is recommended to input a name related to it's use, such as the portal name, for future reference.
For Configure Certificate select Next: no action required in this step.
For Configure URL:
- select Enable support for SAML 2.0 WebSSO protocol
- for Relying party SAML 2.0 SSO service URL, enter your portal’s SAML Entry Point URL, as highlighted in the following screenshot
This URL is available from your portal’s Settings > Integrations > Single Sign On - SAML.
Example:
https://yourportal.learnupon.com/saml/consumer
For LoginToRp feature only: for Configure Identifiers, enter a Relying party trust identifier and select Add. The identifier format is up to you.
Example URL format:
https://<host>:<port>/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=<Relying Party Trust Identifier>
Example URL:
https://adfs.myserver.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=yourportal.learnupon.com
For Choose Access Control Policy, select an access control policy as required. The default is Permit Everyone, as shown in the next screenshot.
From Ready to Add Trust select Next: no action required.
For Finish, select Configure claims issuance policy for this application, as shown in the following screenshot.
Close to finish.
Step 4. Configure claims issuance policy with 1 or more claim rules
Follow Microsoft’s instructions for Configuring Claim Rules.
This example follows Create a rule to send LDAP Attributes as Claims, setting up 1 rule that uses Email Address as the Name ID in the assertion.
For portals that require usernames as unique identifiers, you need to identify your preferred field in LDAP Attribute, and keep Outgoing Claim Type set to Name ID.
The following steps provide highlights for a typical LearnUpon connection, but do not replace the Microsoft product documentation.
In the AD FS container right click Relying Party Trusts > Edit Claim Issuance Policy.
From Issuance Transform Rules, select Add Rule.
From the Add Transform Claim Rule Wizard, select the default Send LDAP Attributes as Claims, and select Next.
For Claim rule name, enter a descriptive name.
From Attribute Store choose Active Directory.
In the LDAP Attribute field select Email Addresses.
In the Outgoing Claim Type choose Name ID.
Select Finish.
From Edit Claim Issuance Policy, select OK to save the rule, and Finish.
Step 5: Optional: enter additional Claim Rules for custom user data and groups
When you map LDAP attributes to custom user data fields in LearnUpon, AD FS can send this data seamlessly to LearnUpon.
See the following articles for background:
Example 1: first and last name, and title
In the following screenshot, the sample First and Last Name rule sends First Name (LDAP Attribute Given Name) and Last Name (LDAP Attribute Surname) along with another Custom field Title as (LDAP Attribute Role) for LearnUpon as custom user data.
Example 2: Groups
In Send All Groups in Assertion rule example, you send a list of each learner’s Group Memberships in Active Directory, in the assertion using the Group Outgoing Claim Type. This rule synchronizes a user's Groups in Active Directory with their LearnUpon groups in the portal.
Step 6: Complete the LearnUpon portal SAML Configuration
From your LearnUpon portal, navigate to Settings > Integrations > Single Sign On - SAML > General Settings.
Configure the SAML Settings as required:
- for IDP SSO Target URL, use the AD FS Sign In URL from Step 1. See Set up SAML SSO for your portal
Note: To require all learners to log in through the AD FS login process, you need to disable the login page. LearnUpon recommends testing the AD FS SAML login process before disabling the login page.
- for Manage Fingerprints, select and enter the SHA1 or SHA256 Fingerprint/Thumbprint collected in Step 3
The following screenshot shows Manage fingerprints with 2 fingerprints entered.
Step 7: Test the login process using the AD FS SAML credentials
Microsoft documentation for reference
LearnUpon is not responsible for content off this website.
- Active Directory Federation Services Overview
- Create a Relying Party Trust
- Configuring Claim Rules
- Create a rule to send LDAP Attributes as Claims