Skip to main content

Setting Up SSO with ADFS and SAML

Codebashing supports single sign-on using SAML 2.0 with ADFS as an identity provider. ADFS, or Active Directory Federation Services, is a service provided by Microsoft which enables web login using existing Active Directory credentials.

This document provides a step-by-step guide for configuring single sign-on using Active Directory with ADFS and SAML 2.0.

Prerequisites

To set up ADFS to log in to the Codebashing platform, you need:

  • The free or fully paid version of a Codebashing instance.

  • Microsoft Windows Server 2008 or 2012.

  • ADFS installed and configured on the same host as Microsoft Windows Server.

Adding a Relying Party Trust

To connect ADFS to Codebashing you must use a Relying Party Trust (RPT). Before you can add an RPT, you have to verify ADFS is installed. If installed, it is listed as ADFS: AD FS under All Servers in the Server Manager list.

If ADFS is not installed, you have to install it as a new Windows feature from Windows PowerShell on the Windows server.

Adding an RPT to ADFS:

  1. Select the Relying Party Trusts folder from ADFS Management and add a new Standard Relying Party Trust. This starts the configuration wizard for a new trust.

  2. Click <Start>. The Select Data Source dialog appears.

    ADFS_1.png

  3. Select the last option Enter Data About the Party Manually and click <Next>.

    ADFS_2.png

  4. Enter Codebashing as Display Name.

  5. Enter notes (optional).

  6. Click <Next>. The Choose Profile dialog appears.

    ADFS_3.png

  7. Select the ADFS 2.0 profile option and click <Next>.

    ADFS_4.png

  8. Leave the default setting and click <Next>. The Configure URL dialog appears.

    ADFS_5.png

  9. Select Enable Support for the SAML 2.0 WebSSO protocol.

  10. Enter https://<yourinstance>.codebashing.com/users/auth/saml/callback in the Relaying party SAML 2.0 SSO service URL field.

  11. Replace the subdomain 'dev' in the URL with your platform instance name.

  12. Click <Next>.

    ADFS_6.png

  13. Enter https://<yourinstance>.codebashing.com in the Relaying party identifier field and click <Add>.

  14. Replace the subdomain 'dev' in the URL with your platform instance name.

  15. Click <Next>. The Configure Multifactor dialog appears.

  16. In the Configure Multifactor Authentication dialog, keep the default setting and click <Next>. The Issuance Authorization Rules dialog appears.

    ADFS_7.png

  17. Select Permit all users to access the relying party.

  18. Click <Next>. The Ready to Add Trust dialog is displayed. This dialog provides a summary of your settings.

    ADFS_8.png

  19. Click <Next>. The Finish dialog appears.

    ADFS_9.png

  20. Leave the default settings and click <Close> to exit. The Claim Rules editor appears.

Creating Claim Rules

By default, the Claim Rule Editor opens once you created the relying party trust.

ADFS_11.png

Creating a New Rule:

  1. Click <Add Rule>. The Select Rule Template dialog appears.

    ADFS_21.png

  2. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list. The Edit Rule dialog is displayed.

    ADFS_31.png

  3. Enter a Claim rule name, for example, Rule 1.

  4. Select Active Directory from the Attribute Store dropdown list.

  5. Map the following attributes to the rule:

    • From the first LDAP Attribute column, select SAM-Account-Name.

    • From the first Outgoing Claim Type, select Windows Account Name.

    • From the second LDAP Attribute column, select E-Mail Address.

    • From the second Outgoing Claim Type, select E-Mail Address

  6. Click <OK> to save the new rule.

  7. In the Claim Rule Editor, click <Add Rule> to add another rule. The Select Rule Template dialog appears.

    ADFS_41.png

  8. Select Transform an Incoming Claim from the Claim Rule Template drop-down list. The Configure Rule dialog appears.

    ADFS_51.png

  9. Enter a Claim rule name, for example, Rule 2.

  10. Select Active Directory from the Attribute Store drop-down list.

  11. Define the following attributes of the rule:

    • From the Incoming claim type drop-down, select E-Mail Address.

    • From the Outgoing claim type drop-down, select Name ID.

    • From the Outgoing name ID format drop-down, select Email.

  12. Keep Pass through all claim values selected.

  13. Click <Finish> to save the new rule. The rule order should look similar to the following example.

    ADFS_61.png

  14. Click <OK> to complete creating the new rule.

Testing Single Sign-On With ADFS

To test single sign-on with ADFS:

  1. Access https://<yourinstance>.codebashing.com and click SSO Login. You are redirected to your organization's ADFS login page (when accessing the platform externally) or to a login popup (when accessing internally).

  2. Enter your active directory credentials to access the platform.

In this section: