Table of contents Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password. Single Sign-On (SSO) brings the most secure access to Aternity by bypassing Aternity's sign in screen, and authenticating with your enterprise's chosen identity provider (IdP) just once using passwords, two-factor authentication (2FA), or even biometrics. Every time you access Aternity as an SSO user, it automatically reroutes you securely to the IdP, and then after authentication, it routes you back to your Aternity home page as a signed in user. SSO uses the secure SAML 2.0 protocol to delegate the entire authentication process to the IdP. To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0. Use Active Directory as your identity provider for SSO access Before you begin To use Active Directory as an IdP, you must have: An Active Directory instance in which all users have an email address attribute. An Aternity account. ProcedureStep 1 Install Active Directory Federation Services (AD FS) 2.0 or 3.0, to enable Active Directory to share identity and authentication information securely with Aternity. Follow the procedure in Microsoft's documentation. Step 2 Create a relying party trust, to define the application which needs AD FS for users' identity and authentication. In this case, you want Aternity SSO to use AD for authentication. Follow the procedure in Microsoft's documentation. When creating the relying party trust, use these settings and parameters in the wizard: Field Description Welcome page (AD FS 3.0 only) Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification. Select Data Source Select Enter data about the relying party manually, so that you can enter details about the relying party (Aternity SSO). Choose profile (AD FS 2.0 only) Select AD FS profile. Aternity SSO does not support the AD FS 1.0. Configure Certificates Accept the default settings. Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication. Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation. Relying party SAML 2.0 service URL Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL). Use the following format: https://<subdomain>.<system>.aternity.com/saml/SSO/alias/<subdomain>/local. For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com/saml/SSO/alias/mycompany/local. Configure Identifiers > Relying party trust identifier Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID). Use this format: https://<subdomain>.<system>.aternity.com For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com. Choose Issuance Authorization Rules (AD FS 2.0 only) Select Permit all users to access this relying party to enable SSO for all of your active directory users You limit access to Aternity by choosing the usernames which you add or configure to the Aternity system. Every SSO user must also be listed in Aternity to define their permissions and roles. Step 3 Configure the properties of the relying party trust which you just created. Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties. Open the relying party trust properties Field Description Advanced > Secure hash algorithm Select SHA-256 or SHA-1. Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints > Add SAML. Add an AD FS endpoint to enable SSO communication Field Description Endpoint type Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer). Binding Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached. Trusted URL Enter the same URL as the Relying party SAML 2.0 service URL. Use this format: https://<sso_subdomain>.<system>.aternity.com For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request. Right-click on the trust party you created and select Edit Claim Issuance Policy. Follow the instructions to send LDAP attributes as claims, until you reach the Configure Claim Rule screen. Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user. Map the LDAP's email address as Name ID sent for SSO Setting Value Attribute store Select Active Directory to send a field from the AD as the identifier. Mapping of LDAP attributes to outgoing claim types Map the AD's email address as the identifier of the user: In the LDAP Attribute column, select E-Mail Addresses. In the Outgoing Claim Type column, select Name ID. The Email Addresses field is mandatory, but you can optionally add more. Tip To allow Aternity to create a group of SSO users who share the same property and value, add more here (like memberOf) where each property maps to the field in your LDAP. Step 5 Continue by enabling SSO in Aternity. Parent topic Integrate Single Sign-On (SSO) Access to Aternity SavePDF Selected topic Selected topic and subtopics All content Related Links
Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password. Single Sign-On (SSO) brings the most secure access to Aternity by bypassing Aternity's sign in screen, and authenticating with your enterprise's chosen identity provider (IdP) just once using passwords, two-factor authentication (2FA), or even biometrics. Every time you access Aternity as an SSO user, it automatically reroutes you securely to the IdP, and then after authentication, it routes you back to your Aternity home page as a signed in user. SSO uses the secure SAML 2.0 protocol to delegate the entire authentication process to the IdP. To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0. Use Active Directory as your identity provider for SSO access Before you begin To use Active Directory as an IdP, you must have: An Active Directory instance in which all users have an email address attribute. An Aternity account. ProcedureStep 1 Install Active Directory Federation Services (AD FS) 2.0 or 3.0, to enable Active Directory to share identity and authentication information securely with Aternity. Follow the procedure in Microsoft's documentation. Step 2 Create a relying party trust, to define the application which needs AD FS for users' identity and authentication. In this case, you want Aternity SSO to use AD for authentication. Follow the procedure in Microsoft's documentation. When creating the relying party trust, use these settings and parameters in the wizard: Field Description Welcome page (AD FS 3.0 only) Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification. Select Data Source Select Enter data about the relying party manually, so that you can enter details about the relying party (Aternity SSO). Choose profile (AD FS 2.0 only) Select AD FS profile. Aternity SSO does not support the AD FS 1.0. Configure Certificates Accept the default settings. Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication. Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation. Relying party SAML 2.0 service URL Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL). Use the following format: https://<subdomain>.<system>.aternity.com/saml/SSO/alias/<subdomain>/local. For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com/saml/SSO/alias/mycompany/local. Configure Identifiers > Relying party trust identifier Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID). Use this format: https://<subdomain>.<system>.aternity.com For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com. Choose Issuance Authorization Rules (AD FS 2.0 only) Select Permit all users to access this relying party to enable SSO for all of your active directory users You limit access to Aternity by choosing the usernames which you add or configure to the Aternity system. Every SSO user must also be listed in Aternity to define their permissions and roles. Step 3 Configure the properties of the relying party trust which you just created. Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties. Open the relying party trust properties Field Description Advanced > Secure hash algorithm Select SHA-256 or SHA-1. Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints > Add SAML. Add an AD FS endpoint to enable SSO communication Field Description Endpoint type Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer). Binding Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached. Trusted URL Enter the same URL as the Relying party SAML 2.0 service URL. Use this format: https://<sso_subdomain>.<system>.aternity.com For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request. Right-click on the trust party you created and select Edit Claim Issuance Policy. Follow the instructions to send LDAP attributes as claims, until you reach the Configure Claim Rule screen. Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user. Map the LDAP's email address as Name ID sent for SSO Setting Value Attribute store Select Active Directory to send a field from the AD as the identifier. Mapping of LDAP attributes to outgoing claim types Map the AD's email address as the identifier of the user: In the LDAP Attribute column, select E-Mail Addresses. In the Outgoing Claim Type column, select Name ID. The Email Addresses field is mandatory, but you can optionally add more. Tip To allow Aternity to create a group of SSO users who share the same property and value, add more here (like memberOf) where each property maps to the field in your LDAP. Step 5 Continue by enabling SSO in Aternity. Parent topic Integrate Single Sign-On (SSO) Access to Aternity
Configure Single Sign-On (SSO) to use your Active Directory (ADFS) as your Identity Provider You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password. Single Sign-On (SSO) brings the most secure access to Aternity by bypassing Aternity's sign in screen, and authenticating with your enterprise's chosen identity provider (IdP) just once using passwords, two-factor authentication (2FA), or even biometrics. Every time you access Aternity as an SSO user, it automatically reroutes you securely to the IdP, and then after authentication, it routes you back to your Aternity home page as a signed in user. SSO uses the secure SAML 2.0 protocol to delegate the entire authentication process to the IdP. To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0. Use Active Directory as your identity provider for SSO access Before you begin To use Active Directory as an IdP, you must have: An Active Directory instance in which all users have an email address attribute. An Aternity account. ProcedureStep 1 Install Active Directory Federation Services (AD FS) 2.0 or 3.0, to enable Active Directory to share identity and authentication information securely with Aternity. Follow the procedure in Microsoft's documentation. Step 2 Create a relying party trust, to define the application which needs AD FS for users' identity and authentication. In this case, you want Aternity SSO to use AD for authentication. Follow the procedure in Microsoft's documentation. When creating the relying party trust, use these settings and parameters in the wizard: Field Description Welcome page (AD FS 3.0 only) Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification. Select Data Source Select Enter data about the relying party manually, so that you can enter details about the relying party (Aternity SSO). Choose profile (AD FS 2.0 only) Select AD FS profile. Aternity SSO does not support the AD FS 1.0. Configure Certificates Accept the default settings. Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication. Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation. Relying party SAML 2.0 service URL Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL). Use the following format: https://<subdomain>.<system>.aternity.com/saml/SSO/alias/<subdomain>/local. For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com/saml/SSO/alias/mycompany/local. Configure Identifiers > Relying party trust identifier Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID). Use this format: https://<subdomain>.<system>.aternity.com For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com. Choose Issuance Authorization Rules (AD FS 2.0 only) Select Permit all users to access this relying party to enable SSO for all of your active directory users You limit access to Aternity by choosing the usernames which you add or configure to the Aternity system. Every SSO user must also be listed in Aternity to define their permissions and roles. Step 3 Configure the properties of the relying party trust which you just created. Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties. Open the relying party trust properties Field Description Advanced > Secure hash algorithm Select SHA-256 or SHA-1. Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints > Add SAML. Add an AD FS endpoint to enable SSO communication Field Description Endpoint type Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer). Binding Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached. Trusted URL Enter the same URL as the Relying party SAML 2.0 service URL. Use this format: https://<sso_subdomain>.<system>.aternity.com For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at https://my.aternity.com, the URL would be https://mycompany.my.aternity.com. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request. Right-click on the trust party you created and select Edit Claim Issuance Policy. Follow the instructions to send LDAP attributes as claims, until you reach the Configure Claim Rule screen. Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user. Map the LDAP's email address as Name ID sent for SSO Setting Value Attribute store Select Active Directory to send a field from the AD as the identifier. Mapping of LDAP attributes to outgoing claim types Map the AD's email address as the identifier of the user: In the LDAP Attribute column, select E-Mail Addresses. In the Outgoing Claim Type column, select Name ID. The Email Addresses field is mandatory, but you can optionally add more. Tip To allow Aternity to create a group of SSO users who share the same property and value, add more here (like memberOf) where each property maps to the field in your LDAP. Step 5 Continue by enabling SSO in Aternity. Parent topic Integrate Single Sign-On (SSO) Access to Aternity