Setting up Active Directory Federation Services (ADFS) As An IdP Server for ParkMyCloud
The purpose of this article is to guide you in setting up Active Directory Federation Services (ADFS) as an Identity Provider (IdP). The screenshots showing ADFS were taken from a Windows Server 2012 R2 environment.
Spoiler Alert: Using the automated configuration approach (providing the URL to the IdP metadata file) for ADFS within ParkMyCloud is the preferred approach.
Before configuring ADFS, let's do some prep work in ParkMyCloud:
- Go to Settings/Single Sign-On (SSO) with SAML and enable. If you have existing users in the system, I suggest you select "Allowed for All Users", as this will allow users with local accounts and SSO users. (If you want strict adherence to SSO, then select "Required for All Users Except for Admins".)
- Configure the unique identifier to something human readable (unless you really like UUID strings). Also, you can pick a default team if you like (we chose "Dev Team") and set the IdP Configuration to "Automatic from IdP metadata URL." You won't be able to save changes yet, until you add the actual URL. For that, you'll need to configure ADFS.
- So, let's jump over to ADFS: You will now need to configure a Relying Party Trust for ParkMyCloud within ADFS. Assuming you have properly configured ADFS, open up the ADFS management tool and select "Add Relying Party Trust..."
- On the Welcome page, click "Start:
- Since ParkMyCloud doesn't have its own metadata URL or metadata file, we will need to configure this manually. This is pretty simple, though, so select the manual approach and click "Next":
- Here, we'll give it a name...something evocative, like ... "ParkMyCloud", then click "Next":
- On this screen we need to select the latest ADFS profile, which supports SAML 2.0, then click "Next":
- ParkMyCloud uses the certificates from the IdP server for signing and encrypting messages. Therefore, you can just click "Next" on this page:
- On this screen we are going to enable support for SAML 2.0 Web SSO. You will also need to enter the "Relying Party Service URL", which is sometimes called the "Service Provider (SP) Assertion Consumer Service (ACS) URL". So, copy that from the ParkMyCloud Settings page and paste it here, then click "Next":
- On this screen they ask for the "Relying Party Identifier", which is sometimes called the "Service Provider (SP) Entity ID". In ParkMyCloud this is the same URL as the SP ACS URL. Paste it here and click "Add", then click "Next":
- On the next screen, it will ask if you want to configure Multi-Factor Authentication. Skip this and click "Next":
- This screen allows you to configure overall access to ParkMyCloud. We suggest "Permit all users ...". Then, click "Next":
- That's pretty much it. You can review your settings on any of the tabs, then click "Next" and then "Close":
- The next thing we need to do is set up the claim rules. The wizard for this should open automatically after the previous step. There are a few simple claims which need to be configured. These can be done in two simple rules. We'll call them "PMC Outgoing Claims" and "Name ID Transform":
- For the PMC Outgoing Claims rule, we will map the following LDAP attributes to their ParkMyCloud counterparts.
- E-Mail-Addresses is mapped to E-Mail Address
- Given-Name is mapped to FirstName
- Surname is mapped to LastName
Note there is no space between "First" and "Name" or "Last" and "Name"
- We are still not quite done. When ADFS receives an E-Mail Address claim from ParkMyCloud, it needs to be respond with Name ID and that response needs to be in an email format. So, we will create the Name ID Transform rule to do that.
- The last step is find out what the ADFS metadata URL is. When you configured ADFS, you gave it a service name. In our case, our AD domain was samltest.com and we simply called the service name adfs.samltest.com. If you were to look under Service / Endpoints in ADFS, you would find the following: /FederationMetadata/2007-06/FederationMetadata.xml. The metadata URL endpoint you need is derived by simply wedding this to your service name. In this example, the IdP metadata URL is: https://adfs.samltest.com/FederationMetadata/2007-06/FederationMetadata.xml. Copy and past that into the ParkMyCloud settings page to complete the configuration.
You simply give your users the User Login URL. That URL will take them to the ADFS proxy servers, where they will be authenticated by Active Directory. Once authenticated for the first time, their account will automatically be created within ParkMyCloud and they will be logged in to the application without the need of a password.
Related Articles
Setting Up Ping Identity As An IdP Server for ParkMyCloud
The purpose of this article is to guide you in setting up Ping as an Identity Provider (IdP). In this example we will use PingOne for SaaS applications. For more information, consult the Ping Documentation. To start with, log in to ParkMyCloud as a ...
Setting Up OneLogin As An IdP Server for ParkMyCloud
The purpose of this article is to guide you in setting up OneLogin as an Identity Provider (IdP). For more information, consult the OneLogin Documentation. Spoiler Alert: Using the semi-automated configuration approach (uploading an IdP metadata ...
Setting Up Azure Active Directory (Free Version) As A SAML IdP Server for ParkMyCloud
When you followed our article on creating an Azure credential, that process included creating an application in Azure. We are now going to revisit one of those applications and configure some of its settings to configure Azure Active Directory as an ...
Setting Up Single Sign-on (SSO) in ParkMyCloud
ParkMyCloud, as of v3.8, supports single sign-on (SSO) using Security Assertion Markup Language (SAML) 2.0, and integrates with the top IDaaS (Identity as a Service) providers, according to Gartner: Source: Gartner, June 2016 Active Directory ...
Setting Up Okta As An IdP Server for ParkMyCloud
Setting up Okta as an Identity Provider (IdP) is probably the most straightforward of all the IdP providers and their own documentation is great. Of the providers out there, they had the best developer support. You can find out more from the Okta ...