ADFS

Quick guide to setup ADFS access protocol in Exivity.

Setting up ADFS Configuration

On ADFS side, go to Trust Relationships -> Relying Party Trusts, click on Add Relying Party Trust

  • Select Data Source: Enter data about the relying party manually

  • Specify Display Name: Exivity

  • Choose Profile: AD FS Profile

  • Configure Certificate: Leave blank

  • Configure URL: Leave blank

  • Configure Multi-factor authentication now?: Choose I do not want to configure multi-factor authentication settings for this relying party trust at this time.

  • Choose Issuance Authorization Rules: Permit all users to access this relying party

  • Ready to Add trust: --

  • Click on Finish.

Right click the newly added trust: Properties

Right click the newly added trust: Edit Claim Rules

  • Go to Issuance Transform RulesAdd Rule

  • Choose Rule Type: Send Claims using a Custom Rule

  • Configure Claim Rule:

    • Claim Rule Name – Exivity

    • Custom Rule:

    • c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]

      => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

  • Finally, click on Save.

Setting up ADFS in Exivity

Make sure to perform the following steps with an Exivity user with enough rights (admin user)

First, go to Administration - Settings - Single sign-on and choose the SAML tab:

In a separate browser tab, open the Exivity SAML configuration and fill the following settings:

Exivity SAML setting

Use value

Entity ID

Sometimes called the Issuer or Metadata URL. Example: http://ADFS-URL/adfs/services/trust

SSO URL

The URL of the Single Sign On service endpoint. Sometimes called the SAML 2.0 Endpoint. Example: https://ADFS-URL/adfs/ls

SLO URL

The URL of the Single Logout service endpoint, suffix with ?wa=wsignout1.0 Example: https://ADFS-URL/adfs/ls/?wa=wasignout1.0

X-509 certificate

Base-64 encoded (DER) certificate, enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

Advanced settings

{ "security": { "wantXMLValidation": false } }

As the last step, enable Single Sign-On in Exivity by navigating to Administration > Settings and then clicking on the System tab. Make sure the Single Sign-On option is set to Enabled, and click the Update button:

SSO is now configured and enabled, and you can now use ADFS to login to your Exivity instance. The login screen will look something like this:

And by clicking on the Login button, you'll be taken to the ADFS login screen.

Last updated