Configure Pureservice authentication with SAML-P
Configuring ADFS
- Add Rule
- Send LDAP Properties as Claims
- Next
- Set a name
- Choose attribute store “Active Directory”
- Set up Mapping as wanted (example: E-mail Address or/and User-Principal-Name — this will depend on what usernames you use in Pureservice)
- Finish
- Add Rule
- Transform an incoming claim
- Next
- Set a name
- Set Incoming claim type, outgoing claim type and outgoing name ID format
- Incoming claim type: Choose the relevant value you chose for mapping in step 1e
- Outgoing claim type: Enter or select “Name ID”
- Outgoing name ID format: Choose “Transient Identifier”
- Leave the rest as it is, click OK and then Finish
With the setup above, you can either select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress as the Claim key in Pureservice.
Configuring Pureservice (ADFS)
- Go to the Pureservice Agent Console and open the Administrator module, go to Security -> Authentication and select the relevant site (Agent authentication for the Agent Console and Enduser authentication for Selfservice)
- Choose Type: SAML-P
- Endpoint URL: Enter the ADFS endpoint URL. Remove any references to “Pureservice” in the URL and add “ADFS”
- Example: https://adfs.yourdomain.com/adfs/ls/
- Claim key: Enter the relevant Claim key URI as mentioned last in the “Configuring ADFS”-section above
- Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
- Leave the Certificate validation as “X.509 Certificate from metadata URL” or change it to “X.509 Certificate”
- “X.509 Certificate from metadata URL”: https://YourPureserviceServer/FederationMetadata/2007-06/FederationMetadata.xml
- “X.509 Certificate”: Find and use the SignatureValue from the metadata document that can be found at https://FEDERATIONSERVER/FederationMetadata/2007-06/FederationMetadata.xml
- Optional: Enable Bypass SSO. This will allow users to log in “manually” with their Pureservice usernames and passwords while also having the option of using the SAML-P Single SignOn.
Configuring Pureservice (Feide)
- Go to the Pureservice Agent Console and open the Administrator module, go to Security -> Authentication and select the relevant site (Agent authentication for the Agent Console and Enduser authentication for Selfservice)
- Choose Type: SAML-P
- Endpoint URL: https://idp.feide.no/simplesaml/saml2/idp/SSOService.php
- Endpoint URL (Log out): https://idp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php
- Claim key: Enter the Claim key from Feide
- Example: “eduPersonPrincipalName”
- Certificate validation: Leave as “X.509 Certificate from metadata URL” and enter the URL https://idp.feide.no/simplesaml/saml2/idp/metadata.php
- Optional: Enable Bypass SSO. This will allow users to log in “manually” with their Pureservice usernames and passwords while also having the option of using the SAML-P Single SignOn.
- Save the setup
- Click the link at the end of “Download the SAML-P SP metadata document here”. Important: This must be sent to Feide before the finished setup will work.
Need more help with this?
Ta kontakt med oss for videre spørsmål her!