Explore SAML SSO fundamentals and benefits with ADFS on EnGenius Cloud
SAML (Security Assertion Markup Language) is a protocol for authentication and authorization that allows users to securely access multiple applications with a single set of credentials. It strengthen security and simplify the sign-in process that makes organizations easier to deploy SSO (Single Sign-On) across their systems or applications.
The feature integrates SAML SSO with ADFS to streamline user authentication across different services that an organization uses.
At its core, SAML involves three participants:
The User - This is the individual trying to access a service (the EnGenius Cloud).
The Identity Provider (IdP) - This is the trusted entity that verifies the user's credentials, like usernames and passwords, and any associated groups or attributes. It's usually a login portal.In this context, is the ADFS
The Service Provider (SP) - This is the service or application the user is trying to use, which, in this context, is the EnGenius Cloud.
Centralized Authentication for Corporate Applications:
SAML SSO with ADFS enables employees to access various enterprise applications, including HR systems, email, and CRM tools, using a single credential set, reducing the necessity for multiple usernames and passwords.
Integrating with Cloud Services:
Using SAML SSO with ADFS streamlines employee access to cloud services like Microsoft Office 365, Salesforce, and third-party cloud platforms, ensuring secure and user-friendly authentication.
EnGenius Cloud provides two SAML login options with ADFS integration: IdP-Initiated and SP-Initiated. The choice depends on your administrators' preferred user experience and your business's IdP protocols. Both methods are compatible and can be used together. This article explains the SAML setup compatible with both IdP-Initiated and SP-Initiated SAML.
IdP-Initiated SAML is ideal for organizations with a standard login portal for app and service access. This guide outlines the fundamental setup for the IdP-Initiated SAML with ADFS.
Log in through the ADFS portal
Choose the desired service (such as the EnGenius Cloud)
User authentication by ADFS
Get redirected to the EnGenius Cloud
Choose SP-Initiated SAML for direct login via the EnGenius Cloud (SSO URL), especially if you don't use a separate login portal.
Begin at the EnGenius Cloud (SSO URL)
Get redirected to your IdP (ADFS login portal)
Choose the desired service (such as the EnGenius Cloud)
User authentication by ADFS
Get redirected to the EnGenius Cloud
EnGenius Cloud SSO URL
The EnGenius Cloud SSO URL, customizable for easy recall via the MSP Portal GUI, links to and redirects users to the specific IdP's login portal.
Enabling SAML Single Sign-On (SSO) with ADFS on EnGenius Cloud MSP Portal
This guide details setting up Active Directory Federation Services(ADFS) as a SAML SSO identity provider(IdP) for EnGenius Cloud - MSP Portal. Prior reading on SAML integration is advised. It assumes existing ADFS setups.
Refer to Microsoft's guide for detailed ADFS configuration. The integration steps presented may vary by environment, but the SAML assertion must include specific usernames and role attributes.
Configure ADFS for seamless integration with EnGenius Cloud's SSO
This guide provides the steps for configuring ADFS on Windows Server 2022 as an IdP. Please note that images used in the steps may vary with Windows Server updates.
Launch the AD FS management console from Start > Administrative Tools > AD FS Management.
Select 'AD FS' at the top and from the Actions menu, choose 'Add Relying Party Trust'.
Click 'Start' to configure a new trust for Dashboard.
Opt to 'Enter data about the relying party manually' and click 'Next'.
Provide a 'Display name' such as "EnGenius Cloud" for identification in the console and for users, then proceed with 'Next'.
Bypass the 'Configure Certificate' step by selecting 'Next'.
Check the box to Enable support for the SAML 2.0 WebSSO protocol. Input the EnGenius Cloud's 'Consumer URL' into the text field and click 'Next'.
The Consumer URL can be found under Organization > MSP Portal > Teams> Team Management > SAML SSO Settings ( from the IdP configuration).
For 'Relying party trust identifier', input "https://msp-sso.engenius.ai", click 'Add', then 'Next'.
Relying Party Trust ID in SAML Authentication
The Relying Party Trust Identifier is a unique identifier that an Identity Provider uses to recognize and authenticate the specific Service Provider (The EnGenius Cloud) in a SAML setup.
Set default authorization rules; for this guide, choose 'Permit everyone' and click 'Next'.
Open the 'Edit Claim Rules' dialog and go to the 'Issuance Transform Rules' tab, then click 'Add Rule'.
Choose 'Send LDAP Attributes as Claims' as the template and click 'Next'.
To configure a username attribute for SAML:
Name the claim rule "Email".
Choose 'Active Directory' for the attribute store.
Select a unique LDAP Attribute, like E-Mail-Addresses that will be sent to the EnGenius Cloud as the username.
Set the Outgoing Claim Type to "email"
Click 'Finish'.
Outgoing Claim Type
An "Outgoing Claim Type" is a user attribute, like an email or username, that ADFS sends to a Service Provider (EnGenius Cloud) to identify and authorize users in SAML transactions.
Open 'Edit Claim Rules', navigate to 'Issuance Transform Rules', and select 'Add Rule'.
For the template, select 'Send Group Membership as a Claim'.
Name the claim rule "Teams" for assigning user roles.
Use 'Browse' to pick a group for the role assignment.
Set the Outgoing claim type to "msp_teams".
Enter the matching Role/Team value from The MSP Portal’s Teams role in 'Outgoing claim value' to grant access.
Click 'Finish'.
The role/team must correspond with one in EnGenius Cloud under Organization > MSP Portal> Teams> Team Privileges.
Users authenticated via ADFS can now sign into the "EnGenius Cloud".
If this is your first time accessing EnGenius Cloud service through your company's ADFS portal, you'll need to set up a user account initially. Once done, this will allow for automatic sign-in thereafter. The user account includes the following data:
User name
Region
Guided setup of SAML SSO in EnGenius Cloud's MSP Portal
ADFS installation and initial setup are complete.
Obtain the metadata file from ADFS.
The MSP portal on EnGenius Cloud Platform is activated with an MSP license.
Go to Organization > MSP Portal > Teams > Team Management and find the SAML SSO section.
Enable SAML SSO.
Click on Add to create a new “IdP" to input SAML identity provider details:
Upload the Identity Provider (IdP) Metadata file, which you can extract from your ADFS server.
Provide a Name that helps to identify this IdP.
Provide the Login URL, which is the URL of the existing ADFS login page.
IdP Metadata for SSO Integration
Metadata for an IdP is a data file containing the IdP's unique identifier, service URLs, public key certificates, and supported communication protocols, used to enable secure SSO connections.
Logout URL for Auto-Logout Redirection
The 'Logout URL' allows users to set a specific webpage to redirect to after a defined period of inactivity, ensuring an automatic and secure logout.
Upon creation of IdP, the system auto-generates the Consumer URL for where the IdP user data will be sent post-IdP authentication.
Record the "Consumer URL" as it is essential for future ADFS configuration.
Customize the EnGenius SSO Login URL: Adjust the ending URL for easier recall. It serves as a direct link to the default IdP and is unique to a single IdP.
Select a Default IdP from the IdP list, it will associate to EnGenius Cloud SSO page as the redirect IdP when user tries to login through SSO URL.
Multi-IDP SAML SSO Configuration
You can manage and create several IdPs in the EnGenius Cloud to establish SAML SSO, each with its unique Login and Consumer URLs, but only one can map to the SSO Login shorthand URL.
Navigate to Organization > MSP Portal > Teams > Team Privilege to access the SAML administrator roles. Use this to assign user group privileges. SAML users receive permissions based on the 'role' attribute in their SAML token from the IdP.
To set up a new role for the IdP:
Click "Add Team".
Assign managed scope and permissions as you would for standard users.
To finalize, click "Create admin" and "Save changes".
The new team is set by default to the "All Org" scope with "Admin" permissions; however, customization for individual organizations is possible.