Configuring SSO with Active Directory Federation Service (AD FS)

Tendo Marketplace supports SAML single sign-on for customers using a variety of identity providers. This guide has specific instructions for using Active Directory. See SAML 2 SSO Integration for all identity providers.

If you’re interested in enabling single sign-on for your organization, contact your Tendo Marketplace account manager.

Prerequisites

Tendo will work with versions of AD FS that support SAML-based single sign-on. Before starting, be sure you meet the following requirements:

  • An Active Directory where all users have an email address. This address will be used as their Tendo Marketplace login.
  • A server running Microsoft Server 2008 or 2012.
  • An SSL certificate to sign your AD FS login page.

Install AD FS

If you do not already have Active Directory Federation Services configured for your organization, you’ll need to do so before proceeding. You can use this Microsoft KB article to get started if needed.

When you install AD FS, note the following:

  • The thumbprint of the SSL certificate you use for token signing.
  • The “SAML 2.0/WS-Federation” URL from the Endpoints section of the AD FS service configuration. The default value for this URL is “/adfs/ls”.

Create a new Relying Party Trust

Adding a relying party trust configures AD FS to provide information about authenticated users to Tendo Marketplace in order to log them into their accounts. Complete the following steps to create a Relying Party Trust:

  1. From Server Manager, select Tools > AD FS Management.
  2. In the AD FS manager, expand AD FS and Trust Relationships in the Console Tree and then select Relying Party Trusts.
  3. Select Add Relying Party Trust… in the Action Pane.
  4. In the wizard that follows, select Enter data about the relying party manually.
  5. Enter Tendo Marketplace as the display name.
  6. Select AD FS Profile as the configuration profile.
  7. Click Next on the configure certificate step (all claims will be sent via SSL even without a custom certificate)
  8. Check Enable support for the SAML 2.0 WebSSO protocol and enter “https://www.mdsave.com/saml/callback” as the service URL.
  9. Enter “https://www.mdsave.com/sp” as the Relying Party Trust Identifier.
  10. Skip enabling multi-factor authentication. (You may use multi-factor authentication, but configuration support is not provided.)
  11. Select Permit all users to access the relying party. (You may use more fine-grained permissions if desired, but configuration support is not provided.)
  12. Review the configuration on the final screen of the wizard, and check the Open the Edit Claims Rules dialog… box before proceeding.

Configure AD FS to use email addresses as usernames

Tendo Marketplace uses email addresses as the primary username. You must configure AD FS to populate the User ID assertion with the email address from Active Directory.

  1. In the Issuance Transform Rules tab of the Claim Rules dialog, select Add Rule…
  2. Select the Send LDAP Attributes as Claims option.
  3. Enter LDAP Email as the rule name, Active Directory as the attribute store, E-Mail-Addresses as the LDAP attribute, and E-Mail Address as the corresponding outgoing claim type. Select OK.
  4. Select Add Rule… again and select the Transform an Incoming Claim option.
  5. Enter Email Transform as the rule name, E-Mail Address as the incoming claim type, Name ID as the outgoing claim type, and Email as the outgoing claim ID format.

Configure Single Sign Out (In Development)

Note that Tendo Marketplace does not yet support single sign out, and these settings are in development. However, adding these settings now will enable to use single sign out when it is released.

If you would like users to be able to logout from Tendo Marketplace when they log out of AD FS, complete the following:

  1. Select Tendo Marketplace within Trust Relationships > Relying Party Trusts.
  2. Select Properties from the Action Pane or by right-clicking.
  3. Select the Endpoints tab.
  4. Select Add SAML.
  5. Select SAML Logout as the endpoint type.
  6. Select Redirect for the binding type.
  7. Enter your service URL with the parameter “wa=wsignout1.0”, e.g., https://<your server url>/adfs/ls?wa=wsignout1.0.
  8. Enter https://www.mdsave.com/user/logout for the Response URL.

Enable Any Desired Authentication Policies

If you would like to allow users to login via a web form using their Active Directory credentials, in addition to integrating with Windows login. This is necessary if the web browser your employees use to access Tendo Marketplace do not support Windows integrated login.

  1. In the AD FS Manager, select AD FS and then Authentication Policies in the Console Tree.
  2. Select Edit Global Primary Authentication… in the Action Pane.
  3. Enable Forms Authentication as desired.

If you are using Windows Authentication, you also should ensure that your user’s browsers are set up to use Windows Integrated Authentication (default for IE, needs to be enabled for Chrome and Firefox), that your AD FS server is included in the Intranet zone for Internet Explorer, and that automatic login is enabled. Browser configuration is beyond the scope of this guide, but you may find this article from Microsoft useful.

Provide Configuration Settings to Tendo Marketplace

At this point, Tendo Marketplace will enter your configuration settings to complete the SSO configuration. Provide the following to your Tendo Marketplace account rep.

  • The fingerprint of the certificate you used to set up AD FS. (You can get this by entering Get-AdfsCertificate in Windows Power Shell on the Windows Server instance and finding the fingerprint of the Token-Signing certificate.)
  • The SSO URL for your AD FS server. This will be something like https://<your server url>/adfs/ls.

Conduct Acceptance Testing

Once Tendo Marketplace has applied your configuration, your account rep will reach out to schedule an acceptance testing session. At the conclusion of this session, you’ll be provided with a URL you can use to initiate login to mdsave.com using your custom SSO endpoint.