Configuring Single Sign-on (SSO) using SAML 2.0 for ADFS

ManageEngine Password Manager Pro (PMP) offers support for SAML 2.0, which facilitates integration with Federated Identity Management Solutions for Single Sign-on (SSO). PMP acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. Once you integrate PMP with an IdP, the users have to just login to IdP and then, they can automatically login to PMP from the respective identity provider's GUI without having to provide credentials again.

Microsoft's Active Directory Federation Services (ADFS) 10.0 supports SAML integration to provide SSO services. If you use AD FS service in your team or organization, you can integrate PMP with AD FS to enable SAML SSO for the PMP users. To integrate PMP with AD FS 10.0, following are the major steps involved:

  • STEP 1: Prerequisite steps to carry out in AD FS 10.0
  • STEP 2: Providing required details about AD FS in Password Manager Pro to enable SSO services

STEP 1: Prerequisite steps to carry out in AD FS 10.0

Before you carry out the steps mentioned below, log into Password Manager Pro (PMP) first and navigate to Admin >> SAML Single Sign On. In the SAML SSO configuration page, download the service provider metadata XML file available under Step 1. Now, execute the following steps:

  • Navigate to Start >> All Programs >> Administrative Tools, and open 'AD FS 10.0 Management'.
  • The first step is to add Trust Relationships in AD FS 10.0, to add PMP details. Under Trust Relationships,right-click on Relying Party Trusts and select 'Add Relying Party Trust' from the drop down menu. A wizard window will open up as shown in the image below:
  • Click 'Start' and proceed to the next step, 'Select Data Source'. Here, choose the second option, 'Import data about the relying party from a file.' Click 'Browse', import the metadata file downloaded earlier from PMP, and click 'Next'.
  • In this step, set a Display name for the relying party, i.e. PMP and click 'Next'.
  • Choose Access Control Policy: Here, select the first option 'Permit everyone' and proceed.
  • Skip the 'Ready to Add Trust' step and then click 'Close'.
  • PMP will now be displayed in the Relying Party Trusts list. Right-click on the same and select 'Properties' from the drop down menu as shown below.
  • In the dialog box that opens, switch to the Advanced tab and specify 'SHA 1' as the secure hash algorithm. Apply changes and close the window.
  • Right-click on PMP again and now select 'Edit Claim Insurance Policy'.
  • In the dialog box that opens, click 'Add Rule' under Issuance Transform Rules.
  • Set 'Transform an Incoming Claim' as the claim rule template and click 'Next'.
  • Under Configure Claim Rule,
    • Enter 'NameID' as the claim rule name.
    • Set 'Windows account name' as the incoming claim type.
    • Set 'Name ID' as the outgoing claim type.
    • Select 'Transient Identifier' for outgoing name ID format.
    • Click 'Finish'.
    • Click 'Apply' to save changes and close the Edit Claim Rules window.

Note : If you have already imported users to PMP from AD, then their login names will be stored in the format, "DOMAIN\Loginname". By default, setting 'Windows account name' as the incoming claim type will match this format. However, if you have created PMP local accounts for your AD users by importing them via a CSV file, you need to instead select a different claim type that matches the login name format stored in PMP.

STEP 2: Providing required details about AD FS 10.0 in Password Manager Pro to enable SSO services

  • Open PMP again and navigate to the SAML SSO configuration page.
  • Under Step 2 in the page, choose the first option 'Upload IdP metadata file' to browse and open AD FS's metadata XML file.
  • Note: The XML file can be downloaded from AD FS 10.0 console. In the console's left navigation pane, click on 'Endpoints' and scroll down to the Metadata list. Now, locate the URL Path provided for the Federation Metadata type in this list and open the URL in a new browser tab to download the metadata XML file.

  • The uploaded XML file will also populate the certificate details required for Step 3. In case the details aren't auto-filled in upon providing the metadata file, try configuring the Identity Provider details manually in Step 2 & 3. Then, click 'Save'.
  • AD FS SSO service is now successfully configured for PMP. Click on 'Enable SAML SSO' to activate the service. Try logging out and logging back to PMP to test the configuration.

©2014, ZOHO Corp. All Rights Reserved.

Top