Table of contents Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password. Single Sign-On (SSO) allows you to bypass Aternity's sign in screen, by authenticating just once with your enterprise's chosen identity provider (IdP). Every time you access Aternity, it automatically reroutes you to the IdP, and then after authentication, it automatically routes you back to your Aternity home page as a signed in user. As such, the IdP manages the entire authentication process, which can include two-factor authentication, biometrics, or a simple password, hence Aternity does not store any passwords in the system. To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0. Use Active Directory as your identity provider for SSO access Before you begin To use Active Directory as an IdP, you must have: An Active Directory instance in which all users have an email address attribute. An Aternity account. ProcedureStep 1 Install Active Directory Federation Services (AD FS) 2.0 or 3.0, to enable Active Directory to share identity and authentication information securely with Aternity. Follow the procedure in Microsoft's documentation. Step 2 Create a relying party trust, to define the application which needs AD FS for users' identity and authentication. In this case, you want Aternity SSO to use AD for authentication. Follow the procedure in Microsoft's documentation. When creating the relying party trust, use these settings and parameters in the wizard: Field Description Welcome page (AD FS 3.0 only) Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification. Select Data Source Select Enter data about the relying party manually, so that you can enter details about the relying party (Aternity SSO). Choose profile (AD FS 2.0 only) Select AD FS profile. Aternity SSO does not support the AD FS 1.0. Configure Certificates Accept the default settings. Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication. Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation. Relying party SAML 2.0 service URL Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL). Use the following format: https://<subdomain>.mycompany.com/saml/SSO/alias/<subdomain>/local. For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.aternity.mycompany.com/saml/SSO/alias/ssoaccess/local. Configure Identifiers > Relying party trust identifier Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID). Use this format: https://<subdomain>.mycompany.com For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com. Choose Issuance Authorization Rules (AD FS 2.0 only) Select Permit all users to access this relying party to enable SSO for all of your active directory users You limit access to Aternity by choosing the usernames which you add or configure to the Aternity system. Every SSO user must also be listed in Aternity to define their permissions and roles. Step 3 Configure the properties of the relying party trust which you just created. Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties. Open the relying party trust properties Field Description Advanced > Secure hash algorithm Select SHA-256 or SHA-1. Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints > Add SAML. Add an AD FS endpoint to enable SSO communication Field Description Endpoint type Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer). Binding Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached. Trusted URL Enter the same URL as the Relying party SAML 2.0 service URL. Use this format: https://<subdomain>.mycompany.com For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request. Right-click on the trust party you created and select Edit Claim Issuance Policy. Follow the instructions to send LDAP attributes as claims, until you reach the Configure Claim Rule screen. Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user. Map the LDAP's email address as Name ID sent for SSO Setting Value Attribute store Select Active Directory to send a field from the AD as the identifier. Mapping of LDAP attributes to outgoing claim types Map the AD's email address as the identifier of the user: In the LDAP Attribute column, select E-Mail Addresses. In the Outgoing Claim Type column, select Name ID. Step 5 Continue by enabling SSO in Aternity. Parent topic Integrate Single Sign-On (SSO) Access to Aternity SavePDF Selected topic Selected topic and subtopics All content Related Links
Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password. Single Sign-On (SSO) allows you to bypass Aternity's sign in screen, by authenticating just once with your enterprise's chosen identity provider (IdP). Every time you access Aternity, it automatically reroutes you to the IdP, and then after authentication, it automatically routes you back to your Aternity home page as a signed in user. As such, the IdP manages the entire authentication process, which can include two-factor authentication, biometrics, or a simple password, hence Aternity does not store any passwords in the system. To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0. Use Active Directory as your identity provider for SSO access Before you begin To use Active Directory as an IdP, you must have: An Active Directory instance in which all users have an email address attribute. An Aternity account. ProcedureStep 1 Install Active Directory Federation Services (AD FS) 2.0 or 3.0, to enable Active Directory to share identity and authentication information securely with Aternity. Follow the procedure in Microsoft's documentation. Step 2 Create a relying party trust, to define the application which needs AD FS for users' identity and authentication. In this case, you want Aternity SSO to use AD for authentication. Follow the procedure in Microsoft's documentation. When creating the relying party trust, use these settings and parameters in the wizard: Field Description Welcome page (AD FS 3.0 only) Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification. Select Data Source Select Enter data about the relying party manually, so that you can enter details about the relying party (Aternity SSO). Choose profile (AD FS 2.0 only) Select AD FS profile. Aternity SSO does not support the AD FS 1.0. Configure Certificates Accept the default settings. Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication. Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation. Relying party SAML 2.0 service URL Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL). Use the following format: https://<subdomain>.mycompany.com/saml/SSO/alias/<subdomain>/local. For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.aternity.mycompany.com/saml/SSO/alias/ssoaccess/local. Configure Identifiers > Relying party trust identifier Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID). Use this format: https://<subdomain>.mycompany.com For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com. Choose Issuance Authorization Rules (AD FS 2.0 only) Select Permit all users to access this relying party to enable SSO for all of your active directory users You limit access to Aternity by choosing the usernames which you add or configure to the Aternity system. Every SSO user must also be listed in Aternity to define their permissions and roles. Step 3 Configure the properties of the relying party trust which you just created. Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties. Open the relying party trust properties Field Description Advanced > Secure hash algorithm Select SHA-256 or SHA-1. Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints > Add SAML. Add an AD FS endpoint to enable SSO communication Field Description Endpoint type Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer). Binding Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached. Trusted URL Enter the same URL as the Relying party SAML 2.0 service URL. Use this format: https://<subdomain>.mycompany.com For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request. Right-click on the trust party you created and select Edit Claim Issuance Policy. Follow the instructions to send LDAP attributes as claims, until you reach the Configure Claim Rule screen. Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user. Map the LDAP's email address as Name ID sent for SSO Setting Value Attribute store Select Active Directory to send a field from the AD as the identifier. Mapping of LDAP attributes to outgoing claim types Map the AD's email address as the identifier of the user: In the LDAP Attribute column, select E-Mail Addresses. In the Outgoing Claim Type column, select Name ID. Step 5 Continue by enabling SSO in Aternity. Parent topic Integrate Single Sign-On (SSO) Access to Aternity
Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password. Single Sign-On (SSO) allows you to bypass Aternity's sign in screen, by authenticating just once with your enterprise's chosen identity provider (IdP). Every time you access Aternity, it automatically reroutes you to the IdP, and then after authentication, it automatically routes you back to your Aternity home page as a signed in user. As such, the IdP manages the entire authentication process, which can include two-factor authentication, biometrics, or a simple password, hence Aternity does not store any passwords in the system. To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0. Use Active Directory as your identity provider for SSO access Before you begin To use Active Directory as an IdP, you must have: An Active Directory instance in which all users have an email address attribute. An Aternity account. ProcedureStep 1 Install Active Directory Federation Services (AD FS) 2.0 or 3.0, to enable Active Directory to share identity and authentication information securely with Aternity. Follow the procedure in Microsoft's documentation. Step 2 Create a relying party trust, to define the application which needs AD FS for users' identity and authentication. In this case, you want Aternity SSO to use AD for authentication. Follow the procedure in Microsoft's documentation. When creating the relying party trust, use these settings and parameters in the wizard: Field Description Welcome page (AD FS 3.0 only) Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification. Select Data Source Select Enter data about the relying party manually, so that you can enter details about the relying party (Aternity SSO). Choose profile (AD FS 2.0 only) Select AD FS profile. Aternity SSO does not support the AD FS 1.0. Configure Certificates Accept the default settings. Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication. Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation. Relying party SAML 2.0 service URL Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL). Use the following format: https://<subdomain>.mycompany.com/saml/SSO/alias/<subdomain>/local. For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.aternity.mycompany.com/saml/SSO/alias/ssoaccess/local. Configure Identifiers > Relying party trust identifier Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID). Use this format: https://<subdomain>.mycompany.com For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com. Choose Issuance Authorization Rules (AD FS 2.0 only) Select Permit all users to access this relying party to enable SSO for all of your active directory users You limit access to Aternity by choosing the usernames which you add or configure to the Aternity system. Every SSO user must also be listed in Aternity to define their permissions and roles. Step 3 Configure the properties of the relying party trust which you just created. Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties. Open the relying party trust properties Field Description Advanced > Secure hash algorithm Select SHA-256 or SHA-1. Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints > Add SAML. Add an AD FS endpoint to enable SSO communication Field Description Endpoint type Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer). Binding Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached. Trusted URL Enter the same URL as the Relying party SAML 2.0 service URL. Use this format: https://<subdomain>.mycompany.com For example, if your Aternity on-premise system is at https://aternity.mycompany.com, and your enterprise's SSO subdomain is ssoaccess, the URL would be https://ssoaccess.mycompany.com. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request. Right-click on the trust party you created and select Edit Claim Issuance Policy. Follow the instructions to send LDAP attributes as claims, until you reach the Configure Claim Rule screen. Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user. Map the LDAP's email address as Name ID sent for SSO Setting Value Attribute store Select Active Directory to send a field from the AD as the identifier. Mapping of LDAP attributes to outgoing claim types Map the AD's email address as the identifier of the user: In the LDAP Attribute column, select E-Mail Addresses. In the Outgoing Claim Type column, select Name ID. Step 5 Continue by enabling SSO in Aternity. Parent topic Integrate Single Sign-On (SSO) Access to Aternity