Configuring SSO with AD FS
The following values are used as examples in this guide: ssotest.passwork.org — server name for AD FS passwork.passwork.org — server name for Passwork
Open the AD FS Management console and check the settings by clicking on Edit Federation Service Properties.
Make sure that the fields on the General tab correspond to the names in the DNS record and the name in the certificate. The address in the Federation Service Identifier field will also be used when configuring SSO SAML 2.0 on the Passwork side.
In the AD FS Management, open the Service → Certificates, select the certificate from Token-signing, and export it in base64 format. The contents of this certificate will need to be pasted into the SSO settings.
In the AD FS Management console, click Relying Party Trust and select Add Relying Party Trust.
Perform the following steps:
- Select Claims aware and click Start
- Select Enter data about the relying party manually and click Next
- Enter a Display Name and click Next
- Click Next to accept the defaults for the Configure Certificate
- Select Enable support for the SAML 2.0 WebSSO Protocol, enter the Relying party SAML 2.0 SSO service URL — https://passwork.passwork.org/sso/acs, click Next
- In the Relay party trust identifier, enter the https://passwork.passwork.org/sso/metadata, click Add, then click Next
- In the Choose Access Control Policy section, click Next
- In the Ready to Add Trust section, click Next
- Click Close
Open the Properties of your relying party trust:
- Select the Endpoints tab and click Add SAML
- Select SAML Logout as the Endpoint type
- Enter https://passwork.passwork.org/sso/sls in the Trusted URL. Click OK, then OK again
In the AD FS management console, click Relying Party Trusts and select Edit Claim Issuance Policy.
Perform the following steps:
- Click Add Rule and select Send LDAP Attributes as Claims in the Claim rule template dropdown menu. Click Next
- Choose the LDAP attribute from the attribute store that contains the User-Principal-Name
- Map it to the UPN outgoing claim type
Create a second rule by choosing Transform an Incoming Claim in the Claim Rule template dropdown menu. Select UPN as the Incoming claim type and Name ID as the Outgoing claim type.
Enter the required information and paste the contents of the certificate file you exported earlier into the certificate field.
Adding the sso.php file changes the SSO behavior to what is required for compatibility with AD FS
Create a file with the following name: <path-to-passwork>/app/config/sso.php
Place the following content in the created file:
The installation is complete. You may need to restart the server or the AD FS service.
To avoid errors related to certificates, you can use the following PowerShell commands: