The general PainChek SSO configuration is documented here: Configuring Client SSO
The following screenshots show an example of a working PainChek ADFS SSO integration. Some of the configuration is ADFS specific and is not documented elsewhere, so it is important to ensure all steps documented in this guide are followed.
To set up SSO for ADFS, there are three main steps:
-
create and configure a Relying Party Trust
-
create and configure claim rules for the Relying Party Trust
-
configure the signing
ADFS Configuration
Configuring Relying Party Trust
During the Select Data Source section, select "Enter data about the relying party manually".
Relying Party Trust record
ADFS Configuration starts with create a “PainChek” Relying Party Trust record - e.g.:
Relying Party Trust properties
You can view and configure the “PainChek” Relying Party Trust properties by selecting the PainChek and selecting the Properties
option:
Endpoints

Add a SAML endpoint, configured with the ACS URL
supplied by PainChek:

Ensure the Secure hash algorithm
is SHA-256
Identifiers
Set the Display name
to PainChek
(or something suitable) and add the ACS URL
supplied by PainChek as a Relying party identifier
:
Unused Tabs
No configuration is need for these tabs:
-
Organisation
-
Proxy Endpoints
-
Notes
-
Monitoring
-
Encryption
-
Signature
-
Accepted Claim Types
Claim Rules
Once the PainChek” Relying Party Trust record is created, the next step is to configure the claim rules.
Please note there are two claim rules that need to be setup. The first rule supplies the documented PainChek claims and the second - the
Transform NameId
rule - is specific to ADFS integrations and is not documented elsewhere.
Claim Rules Overview
You can view and configure the “PainChek” Relying Party Trust Claim Rules by selecting the PainChek and selecting the Edit Claim Rules...
option:
Two rules are required for ADFS - User Attributes
and Transform NameId:

User Attribute Claim Rule
This is the claim that you use to configure the claims that PainChek requires - see Configuring Client SSO for a list of the claims.
Create this rule using the Send LDAP Attributes as Claims
rule template.
Populate the fields as follows:
-
Claim rule name:
User Attribute
(you can name this as you see fit) -
Attribute store:
Active Directory
-
Mapping of LDAP attributes to outgoing types: This will vary depending on which claims you are sending to PainChek, but a typical set of claims is:
E-Mail-Addresses |
|
Given-Name |
FirstName |
Surname |
LastName |
Token-Groups - Unqualified Names |
IDPGroupIds |
Title |
JobTitle |
Transform NameId Claim Rule
This is a claim that is needed to provide the NameId
claim to PainChek.
The reason this transformation is needed is to ensure the claim included in the correct (i.e. the
<Subject>
) section of the payload submitted to PainChek. Simply adding the NameId
claim to the list of attributes in the User Attribute
claim rule will not work as those attributes appear in the <AttributeStatement>
section of the payload).
Create this rule using the Transform an Incoming Claim
rule template.

Populate the fields as follows:
-
Claim rule name:
Transform NameId
(you can name this as you see fit) -
Incoming Claim Type:
UPN
-
Outgoing Claim Type:
Name Id
-
Outgoing name Id format:
UPN
-
Pass through all claim values: selected
Certificates & Signing
Token Signing Certificate
A certificate must be used to sign the claims sent to PainChek (so we can authenticate the data we receive can be trusted). A signing certificate is managed under under Service
→ Certificates
→ Add Token-Signing certificate
.
Signing
You must ensure SAML Response signatures are signed, but that assertions are not.
Issue the following PowerShell command to achieve this:
Set-AdfsRelyingPartyTrust -TargetIdentifier <ACS URL> -SamlResponseSignature
"MessageOnly"
Replace <ACS URL>
with the ACS URL
supplied by PainChek.
PainChek SSO Configuration
When configuring SSO in PainChek, there are a number of ADFS sourced fields required. These can be sourced as follows:
1 |
IDP Metadata URL |
https://< hostname >/federationmetadata/2007-06/federationmetadata.xml (see also the IDP Metadata URL section below) |
https://organisation.com/federationmetadata/2007-06/federationmetadata.xml |
2 |
IDP Certificate |
The Token-Signing certificate (Base64) |
![]() Note we are after the contents between |
3 |
IDP Entity Id |
Extract from the |
http://fs.organisation.com.au/adfs/services/trust |
4 |
IDP SSO URL |
https://< hostname >/adfs/ls. This value can be checked by looking for the |
https://organisation.com/adfs/ls |
Notes:
-
The metadata XML file can be downloaded by accessing the IDP Metadata URL from any browser.
IDP Metadata URL
The source for the meta data URL can be confirmed by accessing Service
→ Endpoints
→ Metadata
group → Deferation Metadata
type record: