ADFS Identity Provider

Connect ConfigCat with Active Directory Federation Services (ADFS) via SAML.

Introduction

Each SSO Identity Provider requires specific information to configure a SAML integration. The following guide will walk you through how you can connect ConfigCat with ADFS as a SAML Identity Provider.

1. Collect SAML Metadata from ConfigCat

• Open your organization's authentication settings on the ConfigCat Dashboard.

  

• Click ADD SAML IDENTITY PROVIDER.

  

• Give a name for your Identity Provider, and click Create.

  

• From the next section of the dialog, copy the following values and save them for further use.

  • Entity ID

  • Assertion Consumer Service

    

2. Configure a Relying Party Trust

• Open the ADFS Management console, and click Add Relying Party Trust.

  

• Make sure the Claims aware option is selected, and click Start.

  

• Select the Enter data about this relying party manually option, and click Next.

  

• Type a descriptive Display name, and click Next.

  

• No action required on the Configure Certificate pane, click Next.

  

• Select the Enable support for the SAML 2.0 WebSSO protocol option, and paste the value of Assertion Consumer Service from Step 1 into the Relying party SAML 2.0 SSO service URL field.
  Then, Click Next.

  

• Paste the value of Entity ID from Step 1 into the Relying party trust identifier field, and click Add.
  Then, click Next.

  

• No action required on the Choose Access Control Policy pane, click Next.

  

• Review the changes, then click Next.

  

• The Relying Party Trust is now successfully added, make sure the Configure claims issuance policy for this application option is checked, and click Close.

  

3. Configure Claims Issuance Policy

• After adding the Relying Party Trust, the following dialog should appear.
  Click Add rule.

  

• Select Send LDAP Attributes as Claims as the Claim rule template, and click Next.

  

• Apply the following, and click Finish.

  • Add a descriptive Claim rule name.
  • Select Active Directory as Attribute store.
  • Select User-Principal-Name as LDAP Attribute.
  • Select Name ID as Outgoing Claim Type.
  

• Click OK.

  

4. Configure ConfigCat with SAML Details from ADFS

You can choose one of the following options to configure ConfigCat with SAML Identity Provider metadata.

Metadata URL

• Select Endpoints, and copy the URL Path of the Federation Metadata endpoint.

  

• Type the URL into the Metadata URL field at ConfigCat in the following format: https://[ADFS-DOMAIN]/[FEDERATION-METADATA-URL-PATH].

  

• Select the trusted domains. Only user accounts from trusted domains can login with SAML SSO. You can bind multiple verified domains to a SAML Identity Provider.

  

• Click on Save.

Manual Configuration

• Select Endpoints, and save the URL Path of the SAML 2.0/WS-Federation endpoint.

  

• Select Certificates, then select the Token Signing certificate, and click View Certificate.

  

• On the Details tab click Copy to File.

  

• Click Next.

  

• Select the Base-64 encoded X.509 (.CER) option, and click Next.

  

• Browse the location where the certificate should be exported, and click Next.

  

• Click Finish.

  

• Click OK.

  

• Type the SAML 2.0/WS-Federation endpoint into the Sign-on URL field in the following format: https://[ADFS-DOMAIN]/[WS-FEDERATION-URL-PATH]. Then, paste the exported Token Signing certificate into the X.509 Certificate field.

  

• Select the trusted domains. Only user accounts from trusted domains can login with SAML SSO. You can bind multiple verified domains to a SAML Identity Provider.

  

• Click on Save.

5. Sign In

• Go to the ConfigCat Log In page, and click COMPANY ACCOUNT - SAML.

  

• Sign in with your company email address.

  

• ConfigCat will redirect you to the ADFS sign in page. Type your credentials, and click Sign in.

  

• You should be redirected to ConfigCat signed in with your company account.

6. Next Steps

• Configure the auto-assignment of users.