All pages
Powered by GitBook
1 of 4

Configuring SAML SSO with ADFS

Enabling SAML Single Sign-On (SSO) with ADFS on EnGenius Cloud MSP Portal

Introduction

This guide details setting up Active Directory Federation Services(ADFS) as a SAML SSO identity provider(IdP) for EnGenius Cloud - MSP Portal. Prior reading on SAML integration is advised. It assumes existing ADFS setups.

Refer to Microsoft's guide for detailed ADFS configuration. The integration steps presented may vary by environment, but the SAML assertion must include specific usernames and role attributes.

Feature Overview

Explore SAML SSO fundamentals and benefits with ADFS on EnGenius Cloud

SAML SSO Intro

SAML (Security Assertion Markup Language) is a protocol for authentication and authorization that allows users to securely access multiple applications with a single set of credentials. It strengthen security and simplify the sign-in process that makes organizations easier to deploy SSO (Single Sign-On) across their systems or applications.

The feature integrates SAML SSO with ADFS to streamline user authentication across different services that an organization uses.

At its core, SAML involves three participants:

  • The User - This is the individual trying to access a service (the EnGenius Cloud).

  • The Identity Provider (IdP) - This is the trusted entity that verifies the user's credentials, like usernames and passwords, and any associated groups or attributes. It's usually a login portal.In this context, is the ADFS

  • The Service Provider (SP) - This is the service or application the user is trying to use, which, in this context, is the EnGenius Cloud.

Use Cases of SAML SSO with ADFS

  1. Centralized Authentication for Corporate Applications:

    • SAML SSO with ADFS enables employees to access various enterprise applications, including HR systems, email, and CRM tools, using a single credential set, reducing the necessity for multiple usernames and passwords.

  2. Integrating with Cloud Services:

    • Using SAML SSO with ADFS streamlines employee access to cloud services like Microsoft Office 365, Salesforce, and third-party cloud platforms, ensuring secure and user-friendly authentication.

SAML Login Options

EnGenius Cloud provides two SAML login options with ADFS integration: IdP-Initiated and SP-Initiated. The choice depends on your administrators' preferred user experience and your business's IdP protocols. Both methods are compatible and can be used together. This article explains the SAML setup compatible with both IdP-Initiated and SP-Initiated SAML.

IdP-Initiated SAML

IdP-Initiated SAML is ideal for organizations with a standard login portal for app and service access. This guide outlines the fundamental setup for the IdP-Initiated SAML with ADFS.

User Flow for IdP-Initiated SAML:

  1. Log in through the ADFS portal

  2. Choose the desired service (such as the EnGenius Cloud)

  3. User authentication by ADFS

  4. Get redirected to the EnGenius Cloud

IdP-Initiated SAML

SP-Initiated SAML

Choose SP-Initiated SAML for direct login via the EnGenius Cloud (SSO URL), especially if you don't use a separate login portal.

SP-Initiated SAML User Flow:

  1. Begin at the EnGenius Cloud (SSO URL)

  2. Get redirected to your IdP (ADFS login portal)

  3. Choose the desired service (such as the EnGenius Cloud)

  4. User authentication by ADFS

  5. Get redirected to the EnGenius Cloud

SP-Initiated SAML

EnGenius Cloud SSO URL

The EnGenius Cloud SSO URL, customizable for easy recall via the MSP Portal GUI, links to and redirects users to the specific IdP's login portal.

MSP Portal Configuration

Guided setup of SAML SSO in EnGenius Cloud's MSP Portal

Necessary Pre-requisite

  • ADFS installation and initial setup are complete.

  • Obtain the metadata file from ADFS.

  • The MSP portal on EnGenius Cloud Platform is activated with an MSP license.

Configure SAML SSO for the Organization

  1. Go to Organization > MSP Portal > Teams > Team Management and find the SAML SSO section.

  2. Enable SAML SSO.

1-1 SAML SSO

  1. Click on Add to create a new “IdP" to input SAML identity provider details:

  • Upload the Identity Provider (IdP) Metadata file, which you can extract from your ADFS server.

  • Provide a Name that helps to identify this IdP.

  • Provide the Login URL, which is the URL of the existing ADFS login page.

1-2 Add IdP

IdP Metadata for SSO Integration

Metadata for an IdP is a data file containing the IdP's unique identifier, service URLs, public key certificates, and supported communication protocols, used to enable secure SSO connections.

Logout URL for Auto-Logout Redirection

The 'Logout URL' allows users to set a specific webpage to redirect to after a defined period of inactivity, ensuring an automatic and secure logout.

  1. Upon creation of IdP, the system auto-generates the Consumer URL for where the IdP user data will be sent post-IdP authentication.

1-3 Consumer URL

Record the "Consumer URL" as it is essential for future ADFS configuration.

  1. Customize the EnGenius SSO Login URL: Adjust the ending URL for easier recall. It serves as a direct link to the default IdP and is unique to a single IdP.

1-4 SSO Login URL

  1. Select a Default IdP from the IdP list, it will associate to EnGenius Cloud SSO page as the redirect IdP when user tries to login through SSO URL.

1-5 Default IdP

Multi-IDP SAML SSO Configuration

You can manage and create several IdPs in the EnGenius Cloud to establish SAML SSO, each with its unique Login and Consumer URLs, but only one can map to the SSO Login shorthand URL.

Create SAML Roles

Navigate to Organization > MSP Portal > Teams > Team Privilege to access the SAML administrator roles. Use this to assign user group privileges. SAML users receive permissions based on the 'role' attribute in their SAML token from the IdP.

To set up a new role for the IdP:

  1. Click "Add Team".

  2. Assign managed scope and permissions as you would for standard users.

  3. To finalize, click "Create admin" and "Save changes".

1-6 Team Privilege

The new team is set by default to the "All Org" scope with "Admin" permissions; however, customization for individual organizations is possible.

ADFS Configuration

Configure ADFS for seamless integration with EnGenius Cloud's SSO

This guide provides the steps for configuring ADFS on Windows Server 2022 as an IdP. Please note that images used in the steps may vary with Windows Server updates.

Create “Relying Party Trust”

  1. Launch the AD FS management console from Start > Administrative Tools > AD FS Management.

  2. Select 'AD FS' at the top and from the Actions menu, choose 'Add Relying Party Trust'.

2-1 Add Relying Party Trust

  1. Click 'Start' to configure a new trust for Dashboard.

  2. Opt to 'Enter data about the relying party manually' and click 'Next'.

2-2 Enter data about the relying party manually

  1. Provide a 'Display name' such as "EnGenius Cloud" for identification in the console and for users, then proceed with 'Next'.

2-3 Display Name

  1. Bypass the 'Configure Certificate' step by selecting 'Next'.

  2. Check the box to Enable support for the SAML 2.0 WebSSO protocol. Input the EnGenius Cloud's 'Consumer URL' into the text field and click 'Next'.

2-4 Enable support for the SAML 2.0 WebSSO

The Consumer URL can be found under Organization > MSP Portal > Teams> Team Management > SAML SSO Settings ( from the IdP configuration).

  1. For 'Relying party trust identifier', input "https://msp-sso.engenius.ai", click 'Add', then 'Next'.

2-5 Relying party trust identifier
2-6 Relying party trust identifier

Relying Party Trust ID in SAML Authentication

The Relying Party Trust Identifier is a unique identifier that an Identity Provider uses to recognize and authenticate the specific Service Provider (The EnGenius Cloud) in a SAML setup.

  1. Set default authorization rules; for this guide, choose 'Permit everyone' and click 'Next'.

2-7 Permit everyone

Configure Username Attributes (email)

  1. Open the 'Edit Claim Rules' dialog and go to the 'Issuance Transform Rules' tab, then click 'Add Rule'.

2-8 Edit Claim Rules

  1. Choose 'Send LDAP Attributes as Claims' as the template and click 'Next'.

2-9 Send LDAP Attributes as Claims

  1. To configure a username attribute for SAML:

  • Name the claim rule "Email".

  • Choose 'Active Directory' for the attribute store.

  • Select a unique LDAP Attribute, like E-Mail-Addresses that will be sent to the EnGenius Cloud as the username.

  • Set the Outgoing Claim Type to "email"

  • Click 'Finish'.

2-10 Outgoing Claim Type

Outgoing Claim Type

An "Outgoing Claim Type" is a user attribute, like an email or username, that ADFS sends to a Service Provider (EnGenius Cloud) to identify and authorize users in SAML transactions.

Configure Role Attributes (Team Privilege)

  1. Open 'Edit Claim Rules', navigate to 'Issuance Transform Rules', and select 'Add Rule'.

  2. For the template, select 'Send Group Membership as a Claim'.

  3. Name the claim rule "Teams" for assigning user roles.

  4. Use 'Browse' to pick a group for the role assignment.

  5. Set the Outgoing claim type to "msp_teams".

  6. Enter the matching Role/Team value from The MSP Portal’s Teams role in 'Outgoing claim value' to grant access.

2-11 Configure Role Attributes

  1. Click 'Finish'.

The role/team must correspond with one in EnGenius Cloud under Organization > MSP Portal> Teams> Team Privileges.

2-12 Configure 'Team Privilege' on EnGenius Cloud

Accessing EnGenius Cloud with ADFS Authentication

Users authenticated via ADFS can now sign into the "EnGenius Cloud".

2-13 ADFS Sign-In Page

Setting Up EnGenius Cloud Account via ADFS Portal

If this is your first time accessing EnGenius Cloud service through your company's ADFS portal, you'll need to set up a user account initially. Once done, this will allow for automatic sign-in thereafter. The user account includes the following data:

  • User name

  • Email

  • Region

2-14 Access EnGenius Cloud for the first time