Articles in this section

ADFS SSO Specific Configuration/Details

  • Updated

mceclip0.png

The general PainChek SSO configuration is documented here: Configuring Client SSO

The following screenshots show an example of a working PainChek ADFS SSO integration. Some of the configuration is ADFS specific and is not documented elsewhere, so it is important to ensure all steps documented in this guide are followed.

To set up SSO for ADFS, there are three main steps:

  • create and configure a Relying Party Trust

  • create and configure claim rules for the Relying Party Trust

  • configure the signing

ADFS Configuration

Configuring Relying Party Trust

During the Select Data Source section, select "Enter data about the relying party manually".

mceclip1.png

Relying Party Trust record

ADFS Configuration starts with create a “PainChek” Relying Party Trust record - e.g.:

mceclip1.png

Relying Party Trust properties

You can view and configure the “PainChek” Relying Party Trust properties by selecting the PainChek and selecting the Properties option:

mceclip2.png

Endpoints

mceclip3.png

Add a SAML endpoint, configured with the ACS URL supplied by PainChek:

mceclip4.png

Ensure the Secure hash algorithm is SHA-256

Identifiers

mceclip5.png

Set the Display name to PainChek (or something suitable) and add the ACS URL supplied by PainChek as a Relying party identifier:

Unused Tabs

No configuration is need for these tabs:

  • Organisation

  • Proxy Endpoints

  • Notes

  • Monitoring

  • Encryption

  • Signature

  • Accepted Claim Types

Claim Rules

Once the PainChek” Relying Party Trust record is created, the next step is to configure the claim rules.

:warning: Please note there are two claim rules that need to be setup. The first rule supplies the documented PainChek claims and the second - the Transform NameId rule - is specific to ADFS integrations and is not documented elsewhere.

Claim Rules Overview

You can view and configure the “PainChek” Relying Party Trust Claim Rules by selecting the PainChek and selecting the Edit Claim Rules... option:

mceclip6.png

Two rules are required for ADFS - User Attributes and Transform NameId:

mceclip7.png

User Attribute Claim Rule

This is the claim that you use to configure the claims that PainChek requires - see Configuring Client SSO for a list of the claims.

Create this rule using the Send LDAP Attributes as Claims rule template.

mceclip8.png

Populate the fields as follows:

  • Claim rule name: User Attribute (you can name this as you see fit)

  • Attribute store: Active Directory

  • Mapping of LDAP attributes to outgoing types: This will vary depending on which claims you are sending to PainChek, but a typical set of claims is:

LDAP Attribute

 

Outgoing Claim Type

 

E-Mail-Addresses

Email

Given-Name

FirstName

Surname

LastName

Token-Groups - Unqualified Names

IDPGroupIds

Title

JobTitle

mceclip9.png

Transform NameId Claim Rule

This is a claim that is needed to provide the NameId claim to PainChek.

mceclip16.pngThe reason this transformation is needed is to ensure the claim included in the correct (i.e. the <Subject>) section of the payload submitted to PainChek. Simply adding the NameId claim to the list of attributes in the User Attribute claim rule will not work as those attributes appear in the <AttributeStatement> section of the payload).

Create this rule using the Transform an Incoming Claim rule template.

mceclip10.png

Populate the fields as follows:

  • Claim rule name: Transform NameId (you can name this as you see fit)

  • Incoming Claim Type: UPN

  • Outgoing Claim Type: Name Id

  • Outgoing name Id format: UPN

  • Pass through all claim values: selected

Certificates & Signing

Token Signing Certificate

A certificate must be used to sign the claims sent to PainChek (so we can authenticate the data we receive can be trusted). A signing certificate is managed under under ServiceCertificatesAdd Token-Signing certificate.

mceclip11.png

Signing

You must ensure SAML Response signatures are signed, but that assertions are not.

Issue the following PowerShell command to achieve this:

Set-AdfsRelyingPartyTrust -TargetIdentifier <ACS URL> -SamlResponseSignature 
"MessageOnly"

Replace <ACS URL> with the ACS URL supplied by PainChek.

PainChek SSO Configuration

When configuring SSO in PainChek, there are a number of ADFS sourced fields required. These can be sourced as follows:

 
 

PainChek SSO Instance field

 

AFDS Source

 

Example

 
1

IDP Metadata URL

https://< hostname >/federationmetadata/2007-06/federationmetadata.xml (see also the IDP Metadata URL section below)

https://organisation.com/federationmetadata/2007-06/federationmetadata.xml
2

IDP Certificate

The Token-Signing certificate (Base64)
mceclip13.png

Note we are after the contents between
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE-----
3

IDP Entity Id

Extract from the entityID value from the metadata XML file (see note 1)

http://fs.organisation.com.au/adfs/services/trust
4

IDP SSO URL

https://< hostname >/adfs/ls.

This value can be checked by looking for the SingleSignOnService value in the metadata XML file (see note 1)

https://organisation.com/adfs/ls

mceclip15.png Notes:

  1. The metadata XML file can be downloaded by accessing the IDP Metadata URL from any browser.

IDP Metadata URL

The source for the meta data URL can be confirmed by accessing ServiceEndpointsMetadata group → Deferation Metadata type record:

mceclip14.png

Related articles