Brightflag integrates with several Single Sign-on (SSO) tools. If you are considering setting up SSO for Brightflag with Active Directory Federation Services (ADFS), your company’s dedicated Brightflag Implementation Manager or Customer Success Manager can guide you through this.
Requirements:
- You have set up an ADFS instance, where all users have an email address attribute and the email address is the same as their company account.
- You have fully installed and configured ADFS.
- You know your ‘SAML 2.0/W-Federation’ URL (found in ADFS Endpoints). If your IT team used the defaults for the installation, this will be ‘/adfs’. (This is also known as
- the Remote Login URL for your SAML server and sometimes called SAML Single Sign-On URL).
To add a relying party trust:
- Log in to the ADFS Server.
- Launch the ADFS Management Console.
- On the left-hand tree view, right-click Relying Party Trusts and select Add Relying Party Trust.
- Select the Relying Party Trusts folder from ADFS Management and click on Add Relying Party Trust from the Actions sidebar on the right.
- On the Select Data Source screen, click Enter data about the relying party manually and click Next.
- Provide information for each screen in the Add Relying Party Trust wizard.
- On the Specify Display Name screen, enter a Display Name of your choosing and any notes (e.g. Brightflag SSO).
- Select ADFS profile and click Next.
- Skip the Configure Certificate screen by clicking Next.
- On the Configure URL, select the box labelled Enable Support for the SAML 2.0 WebSSO protocol.
- The URL will be: https://{region_prefix}.brightflag.com/consumeSaml (note that there's no trailing slash at the end of the URL).
- Depending on where you are located, we have different configurations per region.
- Domain: app.brightflag.com
- Region_Prefix: app
- Domain: enterprise.brightflag.com
- Region_Prefix: enterprise
- Domain: aus.brightflag.com
- Region_Prefix: aus
- In the Configure Identifiers screen, enter the Relying Party Trust Identifier (also known as the Identity Provider Issuer URL) as https://{region_prefix}.brightflag.com. Then click Add.
- Skip the Configure Multi-factor Authentication screen (unless you want to configure this) by clicking Next.
- In the Choose Issuance Authorization Rules screen, select the option Permit all users to access this relying party
- On the Ready to Add Trust screen, review your settings and then click Next.
- On the final screen, make sure the checkbox labeled: “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” is selected and click Finish.
To create claim rules:
After you create the relying party trust, you can create the claim rules and make minor changes that aren't set by the wizard.
- If the claim rules editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.
- In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.
- Create the following rule:
- Enter a descriptive rule name
- LDAP Attribute: E-Mail-Addresses
- Outgoing Claim Type: E-Mail Address
- Pass through all claim values (the default)
- Attribute Store: Active Directory
- Click OK.
- Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
- On the next screen, create another rule:
- Enter a descriptive rule name
- Incoming Claim Type: E-Mail Address
- Outgoing Claim Type: Name ID
- Outgoing Name ID Format: Email
- Pass through all claim values (the default)
- Finally, click OK to create the claim rule, and then OK again to finish creating rules.
- You should now have two LDAP attribute rules set up:
LDAP Attribute |
Outgoing Claim Type |
E-Mail-Addresses |
E-Mail Address |
E-Mail Address |
Name ID |
To send Federation Metadata XML Export:
Once the above settings have been configured, we require you to send us your federation metadata so we can configure our end.
- In the ADFS Management Console, browse to Service > Endpoints > Metadata > Type: Federation Metadata to find your federation metadata URL.
- Look for the metadata URL.
- Export the metadata file. This file includes your SSO setting information such as the SSO server, protocols supported, and the public key.
- Send this to Brightflag.
- Once we have configured Brightflag’s end, we will agree on a date for when this will be activated
Comments
0 comments