Configuring SSO with AD FS
Before configuring SSO, make sure that in config.env the APP_URL parameter matches the current Passwork domain, example — APP_URL=https://passwork.example.com
The following server names are used for the example:
- Provider (IDP) — ad-fs.passwork.local
- Passwork Server (SP) — passwork.example.com
Open — Server Manager → Tools → AD FS Management → Relaying Party Trusts → Actions:
Perform the steps in — Welcome to the Add Relaying Party Trust Wizard:
- Claim aware;
- Enter data about the relaying party manually;
- Fill in the Display name (example: passwork-sp);
- Skip the step — Configure Certificate, click Next;
- In the Configure URL step:
- Enable support for the SAML 2.0 WebSSO protocol;
- Copy from Passwork to — Settings and Users → SSO Settings → Reply URL;
- Put in Relaying party SAML 2.0 SSO service URL — https://passwork.example.com/api/v1/sso/acs
- In the Configure Identifiers step:
- Copy from Passwork to — Settings and Users → SSO Settings → Identifier (Entity ID);
- Put in Relaying party trust Identifier — https://passwork.example.com/api/v1/sso/metadata
- Skip the step — Choose Access Control Policy, click Next;
- Skip the setp — Ready to Add Trust, click Next;
Open the Properties of the created Relaying Party Tusts:
In Properties, go to Endpoints and perform the following actions:
- Add SAML;
- Endpoint type — SAML Logout;
- Binding — Redirect;
- Copy from Passwork to — Settings and Users → SSO Settings → Logout URL;
- Put in Trusted URL — https://passwork.example.com/api/v1/sso/sls
- Apply the changes and close Properties.
Depending on the kind of user login you want in Passwork, you can customize the processing rules so that the user format can be as follows:
- username
Please select the desired user login format in Passwork and customize.
In the Relaying Party Trusts, stand on the created trust (passwork-sp) and open — Edit Claim Issuance Policy:
Edit the created rule named AttributeStatement:
- Pass the Display-Name attribute to the SP (Passwork):
- LDAP Attribute — Display-Name;
- Outgoing Claim Type — write displayName.
- Pass the E-Mail-Addresses attribute to the SP (Passwork):
- LDAP Attribute — E-Mail-Addresses;
- Outgoind Claim Type — write emailAddress.
Authenticate in the Passwork web interface, go to — Settings and Users → SSO Settings and fill in the mapping attributes:
- Attribute for email — emailAddress;
- Attribute for full name — displayName;
Open AD FS Management → stand on the AD FS directory → Edit Federation Service Properties:
Copy address — Federation Service identifier → http://ad-fs.passwork.local/adfs/services/trust:
Open — Settings and Users → SSO Settings and fill in the values:
- Identifier (Entity ID) — http://ad-fs.passwork.local/adfs/services/trust
- Reply URL — https://ad-fs.passwork.local/adfs/ls
- Logout URL — https://ad-fs.passwork.local/adfs/ls/?wa=wsignout1.0
Open and export the generated SSL certificate in base64 format — AD FS Management → Service → Certificates → Token-signing:
Open the exported SSL certificate using Notepad, copy and place it in the appropriate field — Settings and Users → SSO Settings.
Put the following content in JSON format:
Replace the passwork.example.com domain in the URLs with the domain of your Passwork server.
Open the authentication window in the Passwork web interface and log in via SSO to verify the correct configuration:
