eSpatial supports SSO integration with Microsoft AD FS (Active Directory Federation Services). This article details the steps to configure the integration for your users to access eSpatial by logging into your corporate AD FS.
Enable SSO on your Account
You need to have an eSpatial Enterprise account and you need to be an administrator on the account to configure this.
- Click on your username drop down in the top right corner.
- Select Manager Groups & Users.
- Click on the SSO Configuration Link.
Copy the text from the "Service Provider Metadata" and save as an XML file on your AD FS Server Manager.
Open the Server Manager
- Select ADFS.
- Select Tools and then select AD FS Management.
- Select Relying Party Trusts.
- Select Add Relying Party Trust.
- Leave set as Claims aware and select Start.
- Select Import data about the relying party from a file.
- Select the XML file you exported from eSpatial and saved earlier.
- Click next.
- Select Permit everyone.
- Click next on the Ready to Add Trust Screen.
- Leave the Configure claims issuance policy for this application active.
Edit the Claim Issuance Policy
- Select Add Rule
- Leave Send LDAP Attributes as Claims in the drop down
- Click Next
- Set the Claim Rule Name
- Update the drop down for Attribute store to Active Directory
- Set E-Mail-Addresses to Name ID
- Set Given-Name to firstName
- Set Surname to lastName
- Click on Finish
- And press Apply
- Exit from the claims issuance policy
Additional AD FS Steps
- Right click on the Relying Party Trust and select properties
- Select the encryption tab
- Select remove, apply and OK
Final setup steps in eSpatial
- You should still be in the SSO configuration screen in eSpatial
- You can either select your Identity Provider Metadata URL or you can upload a copy of this file. It is better to use the URL, but if this URL is not publicly accessible to eSpatial you will need to upload a copy of the XML file.
- This URL is likely to take the following structure - https://adfs.<yourdomain>.com/FederationMetadata/2007-06/FederationMetadata.xml
User Creation in eSpatial
There are two methods of user creation in eSpatial
- The user can be manually created in eSpatial. Once manually created in eSpatial, the next time they access eSpatial after SSO has been configured, they will access eSpatial through your IDP.
- The user can be created in eSpatial, if IDP initiated login is used.
- If for any reason there were issues complete this setup, the admin user can get back to the SSO setup page using the following URL