WS-Federation

Configure Pureservice authentication with WS Federation

*The setup required outside of Pureservice is recommended to be done by someone with relevant knowledge to avoid misconfiguration. Pureservice Support may be able to assist, but this part of the setup is your own responsibility.

Configuring ADFS

1. Open the AD FS Management console, expand “Trust Relationships” and select “Relying Party Trusts”
2. In the actions list, select “Add Relying Party Trust..”
3. Click start on the Welcome screen
4. Select Data Source: “Enter data about the relying party manually” and click Next
5. Specify Display Name: Can be anything, for example “Pureservice Trust”, then click Next
6. Choose Profile: Select “AD FS Profile” and click Next
7. Configure Certificate: Do not configure and click Next
8. Configure URL: Select “Enable support for the WS-Federation Passive protocol”, enter the address for the WS-Federation endpoint (see examples below) and click Next
   1. Important! Must use HTTPS!
   2. Examples: https://YOUR-PURESERVICE-URL/login/wsfed/ / https://YOUR-PURESERVICE-URL/agent/login/wsfed/
9. Configure Identifiers: Set the Pureservice site URL (example: https://YOUR-PURESERVICE-URL/agent/) and click Next
10. Configure Multi-factor Authentication Now?: Select “I do not want to..” and click Next
11. Choose Issuance Authorization Rules: Select “Permit all users to access the relying party” and click Next
12. Ready to Add Trust: Click Next
13. Finish: Choose “Open the Edit Claim Rules dialog..”

For ADFS to send the needed information to Pureservice, a “Claim Rule” must be set up that defines which attributes from Active Directory is mapped to the outgoing claims.

1. Issue Transform Rules, right-click and select “Edit Claim Insurance Policy..”
2. Select “Add Rule..”
3. Choose Rule Type: Select “Send LDAP Attributes as Claims” (is selected by default) and click Next
4. Configure Claim Rule
   1. Set a name, for example “Pureservice email/username from LDAP”
   2. Select Attribute Store “Active Directory”
   3. Set up Mapping
      1. This depends on what you want and your usernames in Pureservice
      2. Example: LDAP Attribute “SAM-Account-Name” -> Outgoing Claim Type “Windows account name” and/or LDAP Attribute “User-Principal-Name” -> Outgoing Claim Type “UPN”

Pureservice must be configured with an endpoint URL, Certificate information and which Claim key should be checked against the username.
Following is where this information can be found in ADFS. You will need this for later steps in the setup.

1. Endpoint URL
   1. Open the AD FS Management console and expand “Service” -> “Endpoints” node
   2. Find the row with type “SAML-2.0/WS-Federation” and find the URL Path value
2. Certificate #1
   1. Option 1: “X.509 Certificate from metadata URL” (in Pureservice): https://FEDERATIONSERVER/FederationMetadata/2007-06/FederationMetadata.xml
   2. Option 2: “X.509 Certificate” (in Pureservice): Open the XML document mentioned above (step 2a) and find the SignatureValue
3. Certificate #2
   1. Open the AD FS Management console and expand “Service” -> “Certificates” node
   2. Find the “Token-signing” certificate and select “View Certificate..” in the Actions menu
   3. Choose “Details” in the certificate dialogue and find the values “Issuer” and “Thumbprint”
4. Claim key
   1. Open the AD FS Management console and expand “Service” -> “Claim Descriptions” node
   2. Find the row that corresponds with the users’ usernames and find the Claim Type value
      1. The standard is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress when email addresses are used as the usernames and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn when UPNs are used as the usernames
      2. Important! Must correspond with the Claim Rule that was created in steps 1-4 for “Issue Transform Rules” in the previous section.

Configuring Pureservice

1. Go to the Pureservice Agent Console and open the Administrator module, go to Security -> Authentication and select the relevant site (Agent authentication for the Agent Console and Enduser authentication for Selfservice)
2. Choose Type: WS-Federation
3. Endpoint URL: Enter the ADFS endpoint URL (step 1 in the previous section)
4. Optional: Endpoint URL (Log out): Enter the URL if you want users to also be logged out of ADFS if using the log out function in Pureservice
5. Claim key: Enter the relevant Claim key (step 4 in the previous section)
6. Certificate validation: Select “Issuer name and thumbprint”, add the Issuer and Thumbprint in their separate fields (step 3 in the previous section)
7. Optional: Enable Bypass SSO. This will allow users to log in “manually” with their Pureservice usernames and passwords while also having the option of using the WS-Federation Single SignOn.
8. Save