Administration
SSO settings

Configuring SSO with AD FS

8min

The following values are used as examples in this guide: ssotest.passwork.org — server name for AD FS passwork.passwork.org — server name for Passwork

AD FS configuration

Open the AD FS Management console and check the settings by clicking on Edit Federation Service Properties.

Make sure that the fields on the General tab correspond to the names in the DNS record and the name in the certificate. The address in the Federation Service Identifier field will also be used when configuring SSO SAML 2.0 on the Passwork side.

Document image


In the AD FS Management, open the ServiceCertificates, select the certificate from Token-signing, and export it in base64 format. The contents of this certificate will need to be pasted into the SSO settings.

Document image


Relying Party Trust settings

In the AD FS Management console, click Relying Party Trust and select Add Relying Party Trust.

Document image


Perform the following steps:

  1. Select Claims aware and click Start
  2. Select Enter data about the relying party manually and click Next
  3. Enter a Display Name and click Next
  4. Click Next to accept the defaults for the Configure Certificate
  5. Select Enable support for the SAML 2.0 WebSSO Protocol, enter the Relying party SAML 2.0 SSO service URLhttps://passwork.passwork.org/sso/acs, click Next
  6. In the Relay party trust identifier, enter the https://passwork.passwork.org/sso/metadata, click Add, then click Next
  7. In the Choose Access Control Policy section, click Next
  8. In the Ready to Add Trust section, click Next
  9. Click Close

Open the Properties of your relying party trust:

  1. Select the Endpoints tab and click Add SAML
  2. Select SAML Logout as the Endpoint type
  3. Enter https://passwork.passwork.org/sso/sls in the Trusted URL. Click OK, then OK again
Document image


In the AD FS management console, click Relying Party Trusts and select Edit Claim Issuance Policy.

Perform the following steps:

  1. Click Add Rule and select Send LDAP Attributes as Claims in the Claim rule template dropdown menu. Click Next
  2. Choose the LDAP attribute from the attribute store that contains the User-Principal-Name
  3. Map it to the UPN outgoing claim type
Document image


Create a second rule by choosing Transform an Incoming Claim in the Claim Rule template dropdown menu. Select UPN as the Incoming claim type and Name ID as the Outgoing claim type.

Document image


Configuring SSO in the Passwork server web interface

Enter the required information and paste the contents of the certificate file you exported earlier into the certificate field.

Document image

Document image


Adding the sso.php file changes the SSO behavior to what is required for compatibility with AD FS

Create a file with the following name: <path-to-passwork>/app/config/sso.php

Place the following content in the created file:

PHP


The installation is complete. You may need to restart the server or the AD FS service.

To avoid errors related to certificates, you can use the following PowerShell commands:

PowerShell