Before You Begin
Configure SAML Authentication with ADFS
Single Sign On allows you to configure Transit to use your organizations’ existing user directory as an Identity Provider.
Your users will be redirected to your organizations login page and be able to log in with their Active Directory username and password.
Currently Transit supports Single Sign on with Active Directory Federation Services (ADFS) through SAML 2.0.
To configure SAML integration with ADFS you will need access to the
AD FS Manager application (typically installed on your ADFS Server).
You assign roles to users by mapping AD groups to Transit Roles.
If you want to create groups specifically for assigning roles to your
users you may want to create those groups before configuring SSO.
STEP BY STEP INSTRUCTIONS
1. CONFIGURE IDENTITY PROVIDER
In this step you define the basic parameters for this authentication source
such as what domain it will serve and what type of SSO server you will be authenticating against.
Provider Name is an arbitrary label
you assign to the source so you can
identify it.
Server Type is where you specify what
type of Single Sign On server you are
authenticating against. In this case
the server type is ADFS.
Email Domain(s) is the list of email
domains that will authenticate
against this source. Any users who
log in from the listed domain(s) will
only be allowed to log in using ADFS.
Sign In Button Label is where you can
customize the text that appears on
the button users will use to log in with
this source. The button label will always be displayed in all capital letters to match the other buttons In the app.
Sign In Button Icon allows you to upload a custom icon for the Sign In Button or to remove an icon altogether.
Sign In Button Preview shows you what the Sign In button will look like on the Sign In page.
2. CONFIGURE USERS
Here is where you assign roles to your users by mapping AD groups to Transit roles. When a user logs in; if they are a member of one of the listed groups, they will be granted that role. Users who are not members of any of the listed groups can still log in with AD to receive messages and access shared files but will not have any of the capabilities of a licensed user.
List the Active Directory groups that
contain the users who you want to
have Sender licenses or the
Administrator role by listing those
groups in the appropriate field.
Separate multiple listings with
commas. Spaces are allowed in
group names.
Licensed Users take up a license and
have full access to the application.
Administrators are licensed users who can also access the Administration console in Transit.
IMPORTANT! Make sure you are a member of at least one group listed for Administrators and that the group name is spelled correctly. It is possible to lock yourself out of the Administration console by misconfiguring Single Sign On.
3. UPLOAD METADATA XML FILE
To complete this step you need to first download a metadata file from your Identity Provider that contains the information that Transit needs to start authenticating users against that source.
Typically this file is downloaded from your ADFS Server via a url such as:
https://YourServerUrlHere/FederationMetadata/2007-06/FederationMetadata.xml
Once you download that file simply upload it here.
4. APPLY CHANGES
You need to complete all the steps 1 through 3 before continuing.
Once Applied you can download.
5. CREATE RELYING PARTY TRUST FOR TRANSIT IN ADFS
This step needs to be performed in the AD FS Manager application for your Active Directory Federation Services.
The Relying Party Trust establishes the Trust relationship between ADFS and Transit as well as which ADFS properties are available to the Transit application.
The instructions linked to in this step will walk you through the steps that need to be performed in ADFS.
-
Open the AD FS Management Console and click on Add Relying Party Trust from the Action Menu on the right.
-
Leave Claims Aware selected and click on START.
-
Select Import data about the Relying Party Trust and upload the metadata file from step 4.
-
Specify a Display Name and add any Notes such as a description for this rule and then hit NEXT.
-
For Choose Access Control Policy accept the defaults and click NEXT.
-
For Ready to Add Trust accept the defaults and click NEXT.
-
Under Finish leave Configure Claims Issuance Policy and click FINISH.
-
In the Edit Claims Issuance Policy screen click Add Rule…
-
In the Select Rule Template screen make sure Send LDAP Attributes as Claims is selected.
-
In the Edit Rule screen give this rule a name and make sure the Attribute Store is set to Active Directory. Then assign LDAP Mappings as shown:
-
User-Principal-Name <-> Name ID
-
E-Mail-Addresses <-> E-Mail Address
-
Given-Name <-> Given Name
-
Surname <-> Surname
-
Token-Groups – Unqualified Names <-> Role
-
6. TEST SSO SIGN IN
It is a good idea to test your source before continuing. The Test Source button will take you to your Organizations ADFS Login page. Once you log in it will tell you if the login succeeded or failed and will provide diagnostic information in either case.
7. PUBLISH SSO PROVIDER
The final step is to publish this Provider. Once published it will show on the Transit login page and be available for your users to authenticate against.
NOTE: While unpublished you can still configure and test the source but it will not be available to users for authentication