Skip to main content
Team - Single Sign On
Updated over 9 months ago

Access: Admin Only

Overview: A look at how to set up Single Sign On (SSO) via SAML 2.0 (Security Assertion Markup Language).

To configure SAML settings for SSO, you need an identity provider that supports SAML 2.0, such as Active Directory. Active Directory Federation Services (ADFS) is a service developed by Microsoft to provide users with single sign on access to systems and applications.

1. ADFS & OpenSSL - Export Certificate & Fingerprint

Open ADFS and navigate to Service > Certificates.

Right-click the Token-signing certificate and choose View certificate.

On the 'Details' tab, click Copy File to open the Export Wizard and export the certificate.

To obtain the sha256 fingerprint from the certificate, run the following using OpenSSL:

openssl x509 -noout -fingerprint -sha256 -inform pem -in signing.cert

Copy the fingerprint.

unnamed.png

2. In SwiftComply FOG

Open SwiftComply FOG. Click cog icon in the top right to access Settings.

On the menu on the left, click Team.

Click the Single Sign On tab.

mceclip0.png
mceclip0.png
mceclip1.png

Check the 'Enabled' box.

mceclip2.png

Set the 'SSO target URL' to https://YOURDOMAIN/adfs/ls (or your SAML URL).

Paste the fingerprint from the first step into the 'Certificate fingerprint' field.

Click Save.

3. ADFS - Relying Party Trusts

The connection is defined using a relying party trust.

On the ADFS Server, navigate to Relying Party Trusts.

Click Add Relying Party Trust from the Actions sidebar.

Ensure Claims Aware is selected.

In the 'Select Data Source' screen, select the first option and copy the audience URL from City2 into the 'Federation metadata address' field.

Select Next, Next, Next, and Close (if you need to set anything else here that's up to you).

unnamed__1_.png
unnamed__2_.png

4. ADFS - Creating Claim Rules

The Claims issuance policy should open next, if not click Edit Claim Issuance Policy.

Select Add Rule.

Select Send LDAP Attributes as Claims.

Create the 'Claim rule name' (up to you).

Select Active Directory as your attribute store, and:

  • From the LDAP Attribute column, select E-Mail Addresses.
    โ€‹

  • From the Outgoing Claim Type, select Name ID.

Click OK to save the rule, and again to finish creating rules.

ldap_claim.png
unnamed__3_.png
Did this answer your question?