Here you can find instructions how to configure TrivoreID Trivore ID authentication to work with Active Directory Federation Services (ADFS). Configuring ADFS itself is out scope of this document (only general requirements provided).
This configuration enables for using credentials at ADFS to be used to sign in to Trivore ID.
Configure
...
Trivore ID
First, select User directoriesDirectories from main menu as shown below and click button Add directory.
...
You will be asked to select directory type. Select Active Directory Federation Services (ADFS).
...
Core settings
Here you can choose to enable always enforced authentication and/or automatic logout after login from this directory. Please note that not all SAML IdPs support enforced authentication. Automatic logout can be used when enforced authentication is not supported.
Additionally you can enter some technical notes for this directory.
...
SP metadata settings
SP metadata settings consist of SP entity ID, private key and certificate. For SP entity ID you can choose any random identifier if you so choose, there are no requirements. Often, this identifier includes the TrivoreID service URL and SAML authentication path. Example value is https://<hostname>/saml/SSO
...
TrivoreID does not place any restrictions either when choosing private key and certificate but the SAML IdP you are connecting to might have restrictions. Consult the appropriate person responsible for the IdP for any further information about these restrictions.
It is generally accepted practice to use self-signed certificates for SAML.
SP private key and SP certificate must both be in PEM format. Use any tool of your choice to generate self-signed certificate and private key. After you have configured all SP metadata settings, you can download automatically generated SP metadata.xml by clicking the link Download automatically generated SP metadata. You will need to import this xml file to the SAML IdP. You can make any changes to the xml file if needed as it is not cryptographically signed.
IdP settings
IdP settings consist of only single field where you can import the metadata XML file provided to you by the SAML IdP administrator. The XML file is structurally validated but testing is required to make sure everything works as expected.
...
ADFS uses same core settings as other SAML based user directories. See Common SAML user directory settings
User information
After you have configured necessary core settings, you may need to adjust user attribute mappings. Attribute mappings can take multiple values in order of preference, separated by comma.
...
Field
...
Description
...
Default value
...
Example value from ADFS
...
Allow creating new users
...
Allow or deny creating new users. If you want to allow every user from ADFS to sign in to TrivoreID you need to check this. If not checked, only existing users can link their accounts with ADFS accounts
...
False (not checked)
...
N/A
...
Use NameID based linking
...
Use SAML NameID field for user’s ID. Please note that this option can not be used if ADFS uses transient NameID values as those differ for every login attempt.
...
True (checked)
...
Link ID
...
Permanent, non-secretive user identifier from ADFS. Use this option if NameID based linking is not suitable.
...
None
...
Username import policy
...
How to handle usernames in TrivoreID. This option exist in order to guarantee username uniqueness within namespace, which is a technical requirement. You can choose to import usernames from ADFS but preferred method is to generate them automatically using default settings.
...
Automatic namespace username policy (actual value depends on the configured policy in namespace settings)
...
N/A
...
Username
...
Attribute from ADFS that provides user’s username
...
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
...
john.doe@client.example.com
...
Username prefix
...
Add username prefix with this literal value
...
None
...
N/A
...
Username suffix
...
Add username suffix with this literal value
...
None
...
N/A
...
Update username if it does match given settings
...
Update user’s username on every successful login if it does not match given settings. Very rarely needed feature
...
False (not checked)
...
N/A
...
Friendly name
...
Friendly name for user’s ADFS account that helps s/he identify it. Only useful if users are given access to manage their account linkings (add, edit, remove links)
...
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
...
“John Doe”
...
First name
...
Attribute from ADFS that provides user’s first name
...
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
...
“John“
...
Last name
...
Attribute from ADFS that provides user’s last name
...
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
...
“Doe“
...
Full name
...
Attribute from ADFS that provides user’s full name, including both first and last name and possible middle names. This is only useful if separate attributes for first and last name are not available.
...
None
...
“John Doe“
...
...
Attribute from ADFS that provides user’s email
...
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
...
“john.doe@example.com“
...
Email verified
...
Attribute from ADFS that provides user’s email verification information. Boolean attribute. May not be available
...
None
...
true
...
Mobile
...
Attribute from ADFS that provides user’s mobile number
...
None
...
+358401234567
...
Mobile verified
...
Attribute from ADFS that provides user’s mobile number verification information. Boolean attribute. May not be available
...
None
...
false
...
Locale / language
...
Attribute from ADFS that provides user’s language or localisation information
...
None
...
“en_US”
...
Photo URL
...
Attribute from ADFS that provides user’s photo URL.
...
ADFS uses common user attribute mappings documented at Common user directory settings . Photo URL is not yet implemented. Some default values are available when creating new ADFS directory.