SAML-P

Configure Pureservice authentication with SAML-P

*The setup required outside of Pureservice is recommended to be done by someone with relevant knowledge to avoid misconfiguration. Pureservice Support may be able to assist, but this part of the setup is your own responsibility.

Configuring ADFS

1. Add Rule
   1. Send LDAP Properties as Claims
   2. Next
   3. Set a name
   4. Choose attribute store “Active Directory”
   5. Set up Mapping as wanted (example: E-mail Address or/and User-Principal-Name — this will depend on what usernames you use in Pureservice)
   6. Finish
2. Add Rule
   1. Transform an incoming claim
   2. Next
   3. Set a name
   4. Set Incoming claim type, outgoing claim type and outgoing name ID format
      1. Incoming claim type: Choose the relevant value you chose for mapping in step 1e
      2. Outgoing claim type: Enter or select “Name ID”
      3. Outgoing name ID format: Choose “Transient Identifier”
   5. Leave the rest as it is, click OK and then Finish

With the setup above, you can either select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress as the Claim key in Pureservice.

Configuring Pureservice (ADFS)

1. Go to the Pureservice Agent Console and open the Administrator module, go to Security -> Authentication and select the relevant site (Agent authentication for the Agent Console and Enduser authentication for Selfservice)
2. Choose Type: SAML-P
3. Endpoint URL: Enter the ADFS endpoint URL. Remove any references to “Pureservice” in the URL and add “ADFS”
   1. Example: https://adfs.yourdomain.com/adfs/ls/
4. Claim key: Enter the relevant Claim key URI as mentioned last in the “Configuring ADFS”-section above
   1. Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
5. Leave the Certificate validation as “X.509 Certificate from metadata URL” or change it to “X.509 Certificate”
   1. “X.509 Certificate from metadata URL”: https://YourPureserviceServer/FederationMetadata/2007-06/FederationMetadata.xml
   2. “X.509 Certificate”: Find and use the SignatureValue from the metadata document that can be found at https://FEDERATIONSERVER/FederationMetadata/2007-06/FederationMetadata.xml
6. Optional: Enable Bypass SSO. This will allow users to log in “manually” with their Pureservice usernames and passwords while also having the option of using the SAML-P Single SignOn.

Configuring Pureservice (Feide)

1. Go to the Pureservice Agent Console and open the Administrator module, go to Security -> Authentication and select the relevant site (Agent authentication for the Agent Console and Enduser authentication for Selfservice)
2. Choose Type: SAML-P
3. Endpoint URL: https://idp.feide.no/simplesaml/saml2/idp/SSOService.php
4. Endpoint URL (Log out): https://idp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php
5. Claim key: Enter the Claim key from Feide
   1. Example: “eduPersonPrincipalName”
6. Certificate validation: Leave as “X.509 Certificate from metadata URL” and enter the URL https://idp.feide.no/simplesaml/saml2/idp/metadata.php
7. Optional: Enable Bypass SSO. This will allow users to log in “manually” with their Pureservice usernames and passwords while also having the option of using the SAML-P Single SignOn.
8. Save the setup
9. Click the link at the end of “Download the SAML-P SP metadata document here”. Important: This must be sent to Feide before the finished setup will work.