Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider

You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password.

Single Sign-On (SSO) allows you to bypass Aternity's sign in screen, by authenticating just once with your enterprise's chosen identity provider (IdP). Every time you access Aternity, it automatically reroutes you to the IdP, and then after authentication, it automatically routes you back to your Aternity home page as a signed in user. As such, the IdP manages the entire authentication process, which can include two-factor authentication, biometrics, or a simple password, hence Aternity does not store any passwords in the system.

To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0.

Use Active Directory as your identity provider for SSO access

Before you begin

To use Active Directory as an IdP, you must have:

  • An Active Directory instance in which all users have an email address attribute.

  • An Aternity account.

Procedure

  1. Step 1 Install Active Directory Federation Services (AD FS) 2.0 or 3.0, to enable Active Directory to share identity and authentication information securely with Aternity.

    Follow the procedure in Microsoft's documentation.

  2. Step 2 Create a relying party trust, to define the application which needs AD FS for users' identity and authentication. In this case, you want Aternity SSO to use AD for authentication.

    Follow the procedure in Microsoft's documentation. When creating the relying party trust, use these settings and parameters in the wizard:

    Field Description
    Welcome page (AD FS 3.0 only)

    Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification.

    Select Data Source

    Select Enter data about the relying party manually, so that you can enter details about the relying party (Aternity SSO).

    Choose profile (AD FS 2.0 only)

    Select AD FS profile. Aternity SSO does not support the AD FS 1.0.

    Configure Certificates

    Accept the default settings.

    Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication.

    Configure URL

    Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation.

    Relying party SAML 2.0 service URL

    Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL).

    Use the following format:

    https://<subdomain>.mycompany.com/saml/SSO/alias/<subdomain>/local.

    For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.aternity.mycompany.com/saml/SSO/alias/ssoaccess/local.

    Configure Identifiers > Relying party trust identifier

    Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID).

    Use this format: https://<subdomain>.mycompany.com

    For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com.

    Choose Issuance Authorization Rules (AD FS 2.0 only)

    Select Permit all users to access this relying party to enable SSO for all of your active directory users

    You limit access to Aternity by choosing the usernames which you add or configure to the Aternity system. Every SSO user must also be listed in Aternity to define their permissions and roles.

  3. Step 3 Configure the properties of the relying party trust which you just created.

    Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties.

    Open the relying party trust properties
    Field Description
    Advanced > Secure hash algorithm

    Select SHA-256 or SHA-1.

    Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints > Add SAML.

    Add an AD FS endpoint to enable SSO communication
    Field Description
    Endpoint type

    Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer).

    Binding

    Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached.

    Trusted URL

    Enter the same URL as the Relying party SAML 2.0 service URL.

    Use this format: https://<subdomain>.mycompany.com

    For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com.

  4. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request.

    Right-click on the trust party you created and select Edit Claim Issuance Policy.

    Follow the instructions to send LDAP attributes as claims, until you reach the Configure Claim Rule screen.

    Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user.

    Map the LDAP's email address as Name ID sent for SSO
    Setting Value
    Attribute store

    Select Active Directory to send a field from the AD as the identifier.

    Mapping of LDAP attributes to outgoing claim types

    Map the AD's email address as the identifier of the user:

    • In the LDAP Attribute column, select E-Mail Addresses.

    • In the Outgoing Claim Type column, select Name ID.

  5. Step 5 Continue by enabling SSO in Aternity.