Enable Single SignOn from Active Directory Federation Services to your Canary Console with these steps.
Step 1: Create a support request to enable SAML
Drop us a note at firstname.lastname@example.org to enable SAML and we’ll get your Console ready.
We'll enable SAML support on your Console which will generate the parameters you need.
Step 2: Log in to your Canary Console and copy the SAML parameters
Login to your Console, click "Setup" on the top navbar, then "SAML" on the left menu:
Step 3: Configure ADFS relying party trust
In AD FS Management right click on "Relying Party Trusts" then "Add Relying Part Trust":
When the wizard starts select the "Claims aware" radio button:
Select the "Enter data about the relying party manually" radio button:
Specify a "Display name" you would want to appear on the ADFS login page:
Click "Browse" if you require token encryption using a certificate other than the default specified in ADFS:
Select the "Enable support for the SAML 2.0 WebSSO protocol" check box then enter the ACS (Login URL) from the SAML parameters in Step 2:
Enter the SP Entity ID from the SAML parameters in Step 2 in the "Relying part trust identifier" text box:
Select an applicable "Access Control Policy":
Verify the configuration on the "Ready to Add Trust" Window:
Select the "Configure claims issuance policy for this application" checkbox:
Configure a SAML logout URL by adding an endpoint to the newly created "Relying Party Trust". Open the properties of "Canary Console" and click "Add SAML" under the "Endpoints" tab.
Select "SAML Logout" under the "Endpoint type" and set the URL to https://%yourADFSserver%/adfs/ls/?wa=wsignout1.0 and hit "OK".
Step 4: Configure ADFS claims issuance policy
After the wizard in Step 3 completes, the "Edit Claim Issuance Policy for Canary Console" opens. Click "Add Rule":
Another "Add Transform Claim Rule Wizard Opens. Select "Send LDAP Attributes as Claims" as the "Claim rule template":
Enter "Attributes" into the "Claim rule name" text box then select "Active Directory" from the "Attribute Store" drop down. Select "E-Mail-Addresses" for the LDAP Attribute and "Name ID" for the "Outgoing Claim Type" within the "Mapping of LDAP Attributes to going claim types" table:
Step 5: Modify the Active Directory LDAP Attribute
Step 6: Download the SAML Metadata
Download your "FederationMetadata.xml" from https://%yourADFSserver%/FederationMetadata/2007-06/FederationMetadata.xml:
Step 7: Send us the SAML Metadata
Send the SAML metadata file from Step 6 to us in your support ticket. We will configure your Console with the IdP metadata and confirm when SAML support is fully set up.
Step 8: Test login from both the Console and ADFS
Navigate to https://%yourADFSserver%/adfs/ls/idpinitiatedsignon. Select Canary Console:
Authenticate with your Active Directory credentials:
After successful authentication you will be redirected to your console:
From the Console you'll know it's working when you see your Console Login page show a "Login with SSO" button:
Click the button to initiate the SSO login.
We default to the initial login being IdP-initiated, and after that, the same browser can happily use SP-initiated auth. This is to hide the fact that the console belongs to your org.