Skip to main content

Search

Configuring SAML: Active Directory Federation Services

Introduction

Enable Single SignOn from Active Directory Federation Services to your Canary Console with these steps.

 

Step 1: Log in to your Canary Console and copy the SAML parameters

Login to your Console, click "Setup" on the top navbar, then "SAML" on the left menu:

 

Step 2: Configure ADFS relying party trust

In AD FS Management right click on "Relying Party Trusts" then "Add Relying Part Trust":

Screenshot_2022-01-13_at_16.52.png

 

When the wizard starts select the "Claims aware" radio button:

Screenshot_2022-01-13_at_16.52.43.png

 

Select the "Enter data about the relying party manually" radio button:

mceclip0.png

 

Specify a "Display name" you would want to appear on the ADFS login page:

Screenshot_2022-01-13_at_16.53.39.png

 

Click "Browse" if you require token encryption using a certificate other than the default specified in ADFS:
Screenshot_2022-01-13_at_17.10.53.png

 

Select the "Enable support for the SAML 2.0 WebSSO protocol" check box then enter the ACS (Login URL) from the SAML parameters in Step 1:

Screenshot_2022-01-13_at_17.12.10.png

 

Enter the SP Entity ID from the SAML parameters in Step 1 in the "Relying part trust identifier" text box:

Screenshot_2022-01-13_at_17.12.34.png

 

Select an applicable "Access Control Policy":
Screenshot_2022-01-13_at_17.13.38.png

 

Verify the configuration on the "Ready to Add Trust" Window:
mceclip2.png

Select the "Configure claims issuance policy for this application" checkbox:
mceclip3.png

Configure a SAML logout URL by adding an endpoint to the newly created "Relying Party Trust". Open the properties of "Canary Console" and click "Add SAML" under the "Endpoints" tab.

adfs2.png

Select "SAML Logout" under the "Endpoint type" and set the URL to https://%yourADFSserver%/adfs/ls/?wa=wsignout1.0 and hit "OK".

adfs1.png

Step 3: Configure ADFS claims issuance policy

After the wizard in Step 2 completes, the "Edit Claim Issuance Policy for Canary Console" opens. Click "Add Rule":
Screenshot_2022-01-13_at_17.16.19.png

 

Another "Add Transform Claim Rule Wizard Opens. Select "Send LDAP Attributes as Claims" as the "Claim rule template":

Screenshot_2022-01-13_at_17.16.30.png

 

Enter "Attributes" into the "Claim rule name" text box then select "Active Directory" from the "Attribute Store" drop down. Select "E-Mail-Addresses" for the LDAP Attribute and "Name ID" for the "Outgoing Claim Type" within the "Mapping of LDAP Attributes to going claim types" table:

Screenshot_2022-01-13_at_17.17.09.png

 

Step 4: Modify the Active Directory LDAP Attribute 

Screenshot_2022-01-13_at_18.38.58.png

 

Step 5: Download the SAML Metadata

Download your "FederationMetadata.xml" from https://%yourADFSserver%/FederationMetadata/2007-06/FederationMetadata.xml:

Screenshot_2022-01-13_at_18.43.20.png

 

Step 6: Send us the SAML Metadata


Send the SAML metadata file from Step 5 to us in a support ticket at support@canary.tools and we will configure your Console with the IdP metadata and confirm when SAML support is fully set up.

 

Step 7: Test login from both the Console and ADFS


Navigate to https://%yourADFSserver%/adfs/ls/idpinitiatedsignon. Select Canary Console:

Screenshot_2022-01-13_at_17.34.27.png

 

Authenticate with your Active Directory credentials:

Screenshot_2022-01-13_at_17.34.51.png

 

After successful authentication you will be redirected to your console:

Screenshot_2022-01-13_at_17.35.20.png

 

From the Console you'll know it's working when you see your Console Login page show a "Login with SSO" button:

Screenshot_2021-06-21_at_14.30.25.png

Click the button to initiate the SSO login.

We default to the initial login being IdP-initiated, and after that, the same browser can happily use SP-initiated auth. This is to hide the fact that the console belongs to your org.

 

 

Was this article helpful?
0 out of 0 found this helpful
Return to top