Release candidate
...
Administration
SSO settings

Configuring SSO with AD FS

13min

Before configuring SSO, make sure that in config.env the APP_URL parameter matches the current Passwork domain, example — APP_URL=https://passwork.example.com

The following server names are used for the example:

  • Provider (IDP) — ad-fs.passwork.local
  • Passwork Server (SP) — passwork.example.com

Adding the trust relationship of the verifying party

Open — Server ManagerToolsAD FS ManagementRelaying Party TrustsActions:

Document image


Perform the steps in — Welcome to the Add Relaying Party Trust Wizard:

  1. Claim aware;
  2. Enter data about the relaying party manually;
  3. Fill in the Display name (example: passwork-sp);
  4. Skip the step — Configure Certificate, click Next;
  5. In the Configure URL step:
    1. Enable support for the SAML 2.0 WebSSO protocol;
    2. Copy from Passwork to — Settings and UsersSSO Settings Reply URL;
    3. Put in Relaying party SAML 2.0 SSO service URLhttps://passwork.example.com/api/v1/sso/acs
  6. In the Configure Identifiers step:
    1. Copy from Passwork to — Settings and UsersSSO Settings Identifier (Entity ID);
    2. Put in Relaying party trust Identifierhttps://passwork.example.com/api/v1/sso/metadata
  7. Skip the step — Choose Access Control Policy, click Next;
  8. Skip the setp — Ready to Add Trust, click Next;

Open the Properties of the created Relaying Party Tusts:

Document image


In Properties, go to Endpoints and perform the following actions:

  1. Add SAML;
  2. Endpoint type — SAML Logout;
  3. Binding — Redirect;
  4. Copy from Passwork to — Settings and UsersSSO Settings Logout URL;
  5. Put in Trusted URL https://passwork.example.com/api/v1/sso/sls
  6. Apply the changes and close Properties.

Configuring rules for processing requests from SP (Passwork) in IDP (AD FS)

Depending on the kind of user login you want in Passwork, you can customize the processing rules so that the user format can be as follows:

Please select the desired user login format in Passwork and customize.

In the Relaying Party Trusts, stand on the created trust (passwork-sp) and open — Edit Claim Issuance Policy:

Document image


Configuring rules for processing additional attributes to be transferred to SP

Edit the created rule named AttributeStatement:

  1. Pass the Display-Name attribute to the SP (Passwork):
    1. LDAP Attribute — Display-Name;
    2. Outgoing Claim Type — write displayName.
  2. Pass the E-Mail-Addresses attribute to the SP (Passwork):
    1. LDAP Attribute — E-Mail-Addresses;
    2. Outgoind Claim Type — write emailAddress.
Document image


Configuring and completing Single Sign-On (SSO) settings in Passwork

Filling in values "User attributes"

Authenticate in the Passwork web interface, go to — Settings and UsersSSO Settings and fill in the mapping attributes:

  • Attribute for email — emailAddress;
  • Attribute for full name — displayName;

Filling in values "Identity Provider → Passwork"

Open AD FS Management → stand on the AD FS directory → Edit Federation Service Properties:

Document image


Copy address — Federation Service identifierhttp://ad-fs.passwork.local/adfs/services/trust:

Document image


Open — Settings and UsersSSO Settings and fill in the values:

  • Identifier (Entity ID) — http://ad-fs.passwork.local/adfs/services/trust
  • Reply URL — https://ad-fs.passwork.local/adfs/ls
  • Logout URL — https://ad-fs.passwork.local/adfs/ls/?wa=wsignout1.0

Filling in value "Certificate"

Open and export the generated SSL certificate in base64 format — AD FS ManagementServiceCertificatesToken-signing:

Document image


Open the exported SSL certificate using Notepad, copy and place it in the appropriate field — Settings and UsersSSO Settings.

Filling in value "Advanced settings"

Put the following content in JSON format:

json


Replace the passwork.example.com domain in the URLs with the domain of your Passwork server.

Open the authentication window in the Passwork web interface and log in via SSO to verify the correct configuration:

Document image