You're browsing the documentation for an old version of SupportPal. Consider upgrading to the latest version.
Active Directory (ADFS)
Thanks to Jessie Twaddle from Gustavus Adolphus College for kindly providing the below guide on how to use Active Directory Federation Services (ADFS) as your SAML Identity Provider.
This guide was tested on Windows Server 2016.
SupportPal Configuration
-
Download the below file, extract the saml.php file from the zip archive and place it inside the
config/production
of your SupportPal installation directory. example_saml_config.zip -
On your SupportPal server create a signing certificate that you will need for the ADFS logout request.
openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout /etc/pki/tls/private/mysigning.key -out /etc/pki/tls/certs/mysigning.pem
-
Update
config/production/saml.php
with the certificate and key information.- Replace
X_PASTE_SUPPORTPAL_SIGNING_CERT_HERE
with the contents of/etc/pki/tls/certs/mysigning.pem
- Replace
X_PASTE_SUPPORTPAL_SIGNING_CERT_PKEY_HERE
with the contents of/etc/pki/tls/private/mysigning.key
- Replace
- Replace
$ADFSSERVER
in thesaml.php
file with your ADFS server information
-
Update
ADFS Server Configuration
Authentication Guards
SupportPal allows separate authentication guards to be configured for frontend and operator login, see: SAML Authentication. Please repeat this step if you would like to configure both frontend and operator login.
SupportPal allows separate authentication guards to be configured for frontend and operator login, see: SAML Authentication. Please repeat this step if you would like to configure both frontend and operator login.
- On your ADFS server, open the ADFS Management Console
-
Select ADFS > Relying Party Trust > Add Relying Party Trust
- Select Claims aware and click Next
- Select Import data about the relying party published online, and enter your SupportPal SAML metadata URL (see: SAML Authentication)
- Set an Access Control policy as you see fit
- Name your relay party trust and click Finish to create the trust
-
Select your new relay party trust and select Edit Claim Issuance Policy
-
Select Add Rule
- Select the Send LDAP Attributes as Claims template
- Enter a claim rule name
- Select Active Directory as your attribute store
-
Select your attributes
-
LDAP: E-Mail-Addresses
- Outgoing:email
-
LDAP: Display-Name
- Outgoing:fullname
-
LDAP: E-Mail-Addresses
- Click Finish
- Select Add Rule to add another rule
- Select the Transform an Incoming Claim template
- Enter a claim rule name
- Incoming claim type: Windows Account
- Outgoing claim type: Name ID (Persistent Identifier)
- Click Finish
-
Select Add Rule
- Select ADFS > Service > Certificates
- Double click the Token-signing cert
- Select Details > Copy to file
- Export certificate as base64 without private key
- Open this file and paste the contents into
config/production/saml.php
underX_PASTE_ADFS_SIGNING_CERT_HERE