Skip to main content
Adaptive Insights
Knowledge and Support - Adaptive Insights

SAML SSO MS-AD FS 3.0

Provides instructions for configuring Adaptive Insights to accept SAML SSO tokens from your instance of Microsoft Active Directory Federation Services 3.0 (MS AD FS 3.0). In SAML terms, your instance of MS AD FS is an identity provider and Adaptive Insights is a service provider. After completing the steps below, you will have configured a identity provider initiated SSO login from your MS AD FS 3.0 instance to the Adaptive Suite of applications.

Prerequisites

The prerequisites for these procedures are:

  • A machine that:
    • Has Windows Server 2008 R2 or RelayState parameter enabled. See The MS AD FS 3.0 RelayState for more information.
    • Is included within a domain
  • An Adaptive account with administrative permissions
  • A confirmation email from Adaptive Insights stating that SAML has been provisioned on your Adaptive instance
  • A certification authority verified token signing certificate (see below)
  • To export the MS AD FS token signing certificate:
  1. Go to MS AD FS Management Consol > Service > Certificates.
  2. Right-click Token-Signing in the certificates list, then click View Certificate. See the image below.
  3. Go to the Details tab and click Copy to File…

  4. When the Certificate Export Wizard appears, click Next.

  5. Select DER encoded binary X.509 (.cer), and click Next.

  6. Select a directory to save the file and give it a name, and click Next.

  7. Click Finish.

    AD-FS_View_Certificate_3.0.png

This document uses ADFS_HOST as a placeholder in text to refer to the MS AD FS website. Replace that with your MS AD FS 3.0 Web site address. The screenshots show the address of the test server.

The MS AD FS 3.0 RelayState

Identity-provider-initiated SSO by following these steps:

  1. For ADFS 3.0, open the following file in Notepad:
    %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config

  2. In the microsoft.identityServer.web section, add a line for useRelayStateForIdpInitiatedSignOn as follows, and save the change:

    <microsoft.identityServer.web>   

    ...    

    <useRelayStateForIdpInitiatedSignOn enabled="true" />

     </microsoft.identityServer.web>

  3. Save the file.

  4. Restart the Active Directory Federation Services (adfssrv) service.

Configuring Adaptive Insights as a Relying Party

A relying party is a web application or web service that relies on claims, which are extracted from tokens issued by an STS (Security Token Service). Adaptive Insights is the relying party and your MS AD FS 3.0 instance is an STS.

  1. Navigate to the MS AD FS 3.0 Management console.

  2. Click MS AD FS 3.0 and expand Trust Relationships.

  3. Right-click Relying Party Trusts and click Add Relying Party Trust.

  4. On the Select Data Source page, select Enter data about the relying party manu­ally, and click Next.

    SAML_ADFS3_02_Select_Data_Source_3.0.png
  5. Specify any appropriate name for the display name (for example, AdaptiveInsights), enter the notes if any and click Next.

  6. Select AD FS profile.

  7. Skip the Configure Certificate step.

  8. Set up the Adaptive Insights SSO URL (which you will get from the SAML Settings screen in Planning)

    as shown below

  9. On the Configure Identifiers page, enter the URL from the SAML Settings screen in Planning as the identifier and click Add.

  10. On the next page, select Permit all users access to this relying party (select Deny if you want to assign this application to specific users later) and click Next.

  11. On the Ready to Add Trust page, click Next.

  12. On the Finish page, clear Open the Edit Claims Rules dialog for this relying party trust when the wizard closes, and click Close.

Configuring Claim Rules

In this section, you will create some sample claim rules. Note that you may choose to modify the claim rules to satisfy your requirements for SAML authentication.

Sample Claim Rule #1

In this claim rule, the Email-Address value of a user will be sent as an attribute statement in the SAML response. You can use any LDAP attribute in the SAML token as long as that attribute uniquely identifies each user. Similarly, for the Outgoing Claim Type, choose one from the list or type in the name.

  1. Right-click the AdaptiveInsights entry in the Relying Party Trusts list and select Edit Claim Rules.

  2. Click Add Rule from the Issuance Transform Rules tab.

  3. Select Send LDAP Attribute as Claims from Claim Rule template drop-down.

  4. Click Next.

  5. Give the claim a name like Email as Claim.

  6. Set the Attribute Store field to Active Directory, the LDAP Attribute to Email-Addresses, and the Outgoing Claim Type to Email Address.

  7. Click Finish.

    AD-FS_Edit_Rule_3.0.png
  8. SAML attribute: If you configured only one Claim Rule #1, then to enter Outgoing Claim Type from Claim Rule #1.
    1. To find the Outgoing Claim type, go to ADFS Management console.

    2. Click on Service > Claim Descriptions

    3. Right click on Claim type you are using and click properties.

    4. Copy the value in "Claim Type" and paste in the SAML attribute name. It might look like
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" or the short name that you might have typed. AD-FS_Edit_Claim_Rules_3.0.png

Sample Claim Rule #2

In this claim rule, we will send the email address configured in Claim Rule #1 as the NameID of the subject.

  1. Click Add Rule.

  2. Select Transform an Incoming Claim as the claim rule template to use.

  3. Give it a name. In this example, we are using Email Address to Name ID.

  4. The incoming claim type should be E-mail Address (OR it must match the outgoing claim type used in Sample Claim Rule #1).

  5. Set Outgoing claim type to Name ID and Outgoing name ID format to Email.

  6. Select Pass through all claim values.

  7. Click Finish.

This rule will send the E-mail-Address value of a user as the NameID of the subject with the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

AD-FS_Edit_Rule_-_email_to_nameID_3.0.png

Setting up MS AD FS as Identity Provider in Adaptive Insights

In this section, you will configure your Adaptive Insights instance to accept SAML/SSO tokens from your MS AD FS 3.0 installation. The steps in this section use the sample claim rules described above; if you have created different rules, you will need to alter these instructions accordingly.

  1. Log in to your Adaptive instance as a user with User Administrator permissions.

  2. Go to Admin > Manage SAML SSO Settings.

    SAML_SSO_Settings_full_3.0.png
  3. Enter the following settings:

  1. Identity provider name: Enter your MS AD FS 3.0 server's name here.

  2. Identity provider Entity ID: Enter the value found on the FS Server's MS AD FS 3.0 Management Console.
    To find this, right-click Service, click Edit Federation Services Properties, and copy the value from Federation Service Identifier field.

    AD-FS_Federation_Service_Properties_3.0.png
  3.  Identity provider single sign-on URL: Enter the URL similar to (this is the URL from MS AD FS side to directly log in to Adaptive Insights.):
    https://ADFS_HOST/adfs/ls

  4.  Custom logout URL: Optional. Enter a URL to load when the user clicks Logout from the Adaptive suite.
    If a URL not specified, the Adaptive Insights login page will be used.

  5. Identity Provider  Certificate: Select the certificate file included in Prerequisites.

  6. SAML user ID type: Select the user's federation id.
    If you set up your claim rule to use the user’s email address and that address is the same as the login field on the user’s profile, you can select User's Adaptive Insights user name for SAML User ID.

  7. SAML user ID location: If you only configured Sample Claim Rule #1 in the claim rules of the relying party, then select User ID in Attribute.
    If you configured Sample Claim Rule #2, then select User ID for NameID of Sub­ject.

  8. SAML attribute and SAML NameID format: You only need to enter one of these. If you only configured Sample Claim Rule #1, fill in the SAML attribute field with the outgoing claim type from Sample Claim Rule #1 and leave the SAML NameID format field blank.
    If you configured both sample claim rules, you can skip the SAML attribute field and fill in the SAML NameID field with the outgoing name ID format from Sample Claim Rule #2 (Email).

  9.  Enable SAML: Select Not Enabled (this is the default value). After testing the configuration, return to this screen and enable SAML for other users.

  1. Click Save.
    The Adaptive Admin Overview page will load.
  2. Go back to the Manage SAML SSO Settings page to verify that the settings were saved successfully. Specifically, verify the issuer and validity of the identity provider certificate.
  3. Look for Adaptive Insights SSO URL at the bottom of the page, and copy the entire string value. Save this value as you will need it in the next section.
    saml_sso_enable_and_direct_w_login_url_adfs_3_0.png
 

Completing the Configuration of the MS AD FS Relying Party

In this section, we will complete the MS AD FS relying party setup, which you started in Configuring Adaptive Insights as a Relying Party .

  1. Navigate back to your MS AD FS 3.0 administration console.

  2. Right-click AdaptiveInsights in the Relying Party Trusts list and select Properties.

  3. Click the Endpoints tab and click Add.

  4. Set Endpoint Type to SAML Assertion Consumer.

  5. Set Binding to POST.

  6. Paste the value of the Adaptive Insights SSO URL, which you copied in Step 6 in Setting up MS AD FS as Identity Provider in Adaptive Insights, into the URL field.

    Edit_Endpoint_3.0.png
  7.    Click OK and click Apply in the properties dialog.

Testing the Setup

In this section, we will test the SAML/SSO login from MS AD FS 3.0 into Adaptive.

  1. Select a user on the MS AD FS side and the Adaptive Insights side. The user on the Adaptive Insights side must have SAML Admin permission.

  2. Enter the email address (or the LDAP attribute selected in Claim Rule #1) in MS AD FS for that user.

  3. On the Adaptive Insights side, enter the email address (possibly the same value) in the SAML Federation ID field for the user on the Admin > Edit User page.

  4. Log that AD FS user into a computer that is part of the Active Directory domain.

  5. Within a web browser on that computer, visit https://login.adaptiveinsights.com/app

  6. If everything is configured correctly, you will be redirected to the Adaptive Insights welcome page. Enter the username but leave the password field blank on the Adaptive login page. Click Submit.

After successfully testing your setup, you can enable SAML SSO for your users. See Enabling SAML SSO for all Users in Adaptive.

Logging in to Excel Interface for Planning and Adaptive Office Connect using SAML SSO

Once SAML SSO has been successfully configured and tested, Excel Interface for Planning and Adaptive Office Connect users only need to provide their usernames in the login form. Leave the password field blank.

Excel Interface for Planning or Adaptive Office Connect - Logging in with SAML SSO enabled

  • Was this article helpful?