Active Directory SAML Configuration Guide

To configure the Active Directory service (Windows) for SAML SSO (Single Sign On) authentication, follow these steps:

Step 1: Open the AD FS Management (Active Directory Federation Service) console.

Step 2: Click ActionsAdd Relying Party Trust…

Step 3: On the Welcome step, click Start

Step 4: Select Enter data about the relying party manually. 

Step 5: Enter Display name and click Next.

Step 6: Select AD FS profile.

Step 7: Keep the certificate settings as the default values.

Step 8: Check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be: https://{subdomain}.saleshood.com/auth/saml/callback

Step 9: Add a Relying party trust identifier. The identifier will be: https://{subdomain}.saleshood.com/auth/saml

Step 10: Keep the Multi-factor Authentication as their default values.

Step 11: Select Permit all users to access this relying party. Click Next to the finish screen.

Step 12: On the final screen, click the Close button to exit, then open the Claim Rules editor.

Step 13: Click Add Rule to create a new rule.

Step 14: Select Send LDAP Attributes as Claims rule.

Step 15: Enter Claim rule name and select attributes as they’re shown below.

Step 16: To add another new rule, select Transform an Incoming Claim.

Step 17: Enter Claim rule name and select the options as they’re shown below. Click Finish to exit editing Claim Rules.

Step 18: Open Relying Party Trust properties and Select SHA-1 for Secure hash algorithm.

Step 19: Select Token-signing certificate in Certificates folder.

Step 20: Click Copy to File… button.

Step 21: Select Base-64 encoded X.509 (.CER) and finish exporting the certificate.

Step 22: Use that Certificate to get FingerPrint by using this tool: https://www.samltool.com/fingerprint.php

When you’ve located the Certificate where you exported it, you may right-click and choose to Edit with Notepad++, then paste in that tool to get FingerPrint.


Step 23: Send the FingerPrint, Certificate, and SAML Endpoint to support@saleshood.com for configuration.

NOTE:

  • Active Directory Users must have Email to login.
  • Active Directory Users must have First name, Last name, Email to register.

Was this article helpful?

Yes No

Related Articles

Leave A Comment?

You must be logged in to post a comment.