Single Sign-On for ADFS
This guide is designed for customers whose identity provider is Microsoft’s ‘Active Directory’ (AD).
For a commercial identity provider, one using SAML please read Enabling Single Sign-On.
Prerequisites to SSO for ADFS
Microsoft does not support web-login directly using Active Directory (AD). They added the Active Directory Federation Services (ADFS) role for this purpose. Microsoft has written a guide to install ADFS.
Please review the above guide before proceeding.
To get started please email Support at firstname.lastname@example.org asking to retrieve the entity ID. This ID becomes an active URL once enabled by Support and contains the metadata for the customer which will be needed at a later point in the setup.
The metadata link looks similar to the below:
On the server’s desktop select "Tools" in "Server Manager" > then choose "AD FS Management." A window populates with the current ADFS settings.
Before proceeding to set up the connection between Lessonly and ADFS, the user needs to take note of two URLs from this section:
1. Select the "Endpoints" folder > locate the value of "URL" for the type "SAML 2.0/WS-Federation." The URL is typically in the first row and normally looks like the following: "/adfs/ls."
2. The second URL type is "Federation Metadata." Normally this will start with "/FederationMetadata."
Configure Relying Party Trusts
To establish a connection between the ADFS server and Lessonly, add a "Relying Party Trust" to the server.
Select on the "Relying Party Trusts" folder, > then select "Add Relying Party Trust." This is the first option in the "Actions" menu:
By adding a relying party initiates the software wizard. Then select "Start."
Select Data Source
In the Welcome tab, the details need to be input manually. Select "Enter data about the relying party manually" > then select "Next."
Specify Display Name
When specifying the display name enter a recognizable name (for example "Lessonly Admin"), and any notes to describe what this service is for > then select "Next."
On "Choose Profile," leave the first option "AD FS profile" checked.
Next, under "Configure Certificate," leave the certificate settings as the default value and select "Next."
For "Configure URL," check the second box "Enable support for the SAML 2.0 Web SSO protocol."
For the replying party SAML 2.0 SSO service URL input https://COMPANYNAME.lessonly.com/auth/saml/callback.
Then select "Next."
When configuring the identifiers, it asks for the "Relying party trust identifier."
The URL should look as follow - companysubdomain.lessonly.com.
Enter this URL in the box and select "Add" > and select "Next."
Configure Multi-factor Authentication Now?
This section asks if the customer would like to enable multi-factor authentication.
Currently, this is not supported and the default option of "I don't want to" needs to be left checked > then select "Next."
Choose Issuance Authorization Rules
The final step is to choose the ‘Issuance Authorization’ rules.
Leave the default first option selected.
Ready to Add Trust
Then the last screen asks the user to confirm their settings.
When finished, the last tab confirms the relying party trust was successfully added.
Leave the checkbox checked to open the "Edit Claim Rules" dialog when the wizard closes. Select "Close."
Setting Claim Rules
Each relying party trust contains rules. Select "Add Rule" near the bottom-left of this panel to populate the software wizard.
The first screen asks to select a "Claim rule template" > select "Send LDAP Attributes as Claims" from the menu and select "Next."
To configure the rule enter "LDAP Email" as the rule’s name > then select "Active Directory" as the attribute store.
Lessonly needs the user's email address to identity them when logging in. To do so choose from the first column "Email Addresses" and from the second column choose "Email Address."
Select "OK" to save the rule.
The next rule to set is the "Name" attribute.
Select "Add Rule" > and follow the same setup as the last rule.
Transform an Incoming Claim
Finally, one last rule needs to be set. Select "Add Rule" again. This time however on that first screen, select "Transform an Incoming Claim" as the rule template > then select "Next."
Enter "Email Transform" for the claim rule name.
For the "Incoming claim type" > select "Email Address."
For the "Outgoing claim type," > select "Name ID."
For the "Outgoing name ID format" > select "Email."
Leave "Pass through all claim values" as selected (this is the default) > and select "OK."
Full Name Attribute
To pass the full name of a user, create a rule with the "Send LDAP Attributes" template.
For the "LDAP Attribute," add a row for "Surname" and a row for "Given-Name."
For the "Outgoing Claim Type," select "Surname and "Given Name."
Then select ‘OK."
Next, the user needs to obtain the "EntityId" (Issuer) for their ADFS service.
The user can locate this by opening their server’s metadata URL in a browser. The full URL needs the domain in front, so it usually looks like this: https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml.
If you enter the URL in a browser, the XML text populates. The majority of it can be ignored, but the user needs to locate the "entityID." This needs to be provided to Lessonly. It should be in the very first line and look something like this:
The final piece of information needed is the certificate the server uses to sign the responses it sends to our platform.
This is similar to an electronic signature signifying they have not been modified. To retrieve the certificate > start by selecting the "Certificates" folder in the ADFS management panel.
Then double-click on the "Token-signing" certificate being used to sign the responses. This populates a dialog box showing the certificate’s details.
In the dialog box > select the "Details" tab > then select "Copy to File."
This opens another box showing the certificate export wizard.
Select "Next" and the user is asked which format to export the certificate in. Choose "Base-64 encoded X.509."
Save the file and then close all of the open dialog boxes.
Provide the Data to Lessonly
After all the above has been completed, provide the below credentials to a member of Lessonly Support.
The Target URL. It is the last URL created and looks something along the lines of - https://adfs.COMPANYDOMAIN.com/adfs/ls/...
The Base-64 Certificate
Once the above information has been provided to Lessonly Support, a member of the team begins the set-up. During this process, the team member will ask the customer to run a few quick test logins to make sure the SSO is working as expected.
If you have anyquestions please reach out to Support at email@example.com.