Configuring ADFS 2.0 with Bridge Using SAML

Overview

Bridge uses a number of different authentication protocols for security  of the Bridge system including Bridge Basic authentication, SAML, CAS  and LDAP. Setting up ADFS to send assertions to Bridge through SAML is a  great way to manage users and security for your system. In this  configuration you can set up a Relying Party Trust to send a specific  user attribute housed in ADFS to match or create a user with that  attribute as the unique identifier for the user account in Bridge.

 

Requirements

Client Side

  • A configured ADFS 2.0 server.
  • The desired Bridge unique identifier configured as a LDAP Attribute in the ADFS server.
  • A Bridge-provided XML file for Relying Party Trust configuration.
  • An ADFS generated XML file resulting from the configured Relying Party Trust.

Bridge Side

Your  Bridge implementation consultant will use the following fields to  create the SAML configuration generated or pulled from the ADFS  generated XML file:

  • SAML IdP Entity ID (Required)
  • SAML Certificate Fingerprint (Required)
    • This field is generated by the implementation consultant using the X.509 certificate in the ADFS generated XML file.
  • SAML Single Sign On URL (Required)
  • SAML Single Logout URL
  • SAML Logout Redirect URL
  • SAML NameId Format
  • SAML Authentication Context

 

Steps for Configuration

Client Side

  1. Provide your  implementation consultant or CSM with your ADFS metadata URL. This  willenable the IC or CSM to supply in return a Bridge metadata URL  and/or an XML configuration file for your root or subaccount.
  2. Click Start, point to Administrative Tools, and then click AD FS 2.0.
  3. Under AD FS 2.0\Trust Relationships, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
  4. On the Welcome page, click Start.
  5. On the Select Data Source page, select the second button next to "Import about the relying party from a file".
  6. Click Browse and select the file that was sent to you from your implementation consultant in Step 1. Click Next.
  7. On the Specify Display Name, create a name for the Relying Party Trust like "Bridge LMS". Click Next.
  8. On the Choose Issuance Rules, select the first option "Permit all users to access this relying party". Click Next.
  9. On the Ready to Add Trust page, select the Encryption tab. Click Remove to remove the certificate for encryption. Click Next.
  10. On the Finish page, click Close.
  11. An Add Transform Claim Rule Wizard window will likely pop up. You should be on the Choose Rule Type page. In the drop down below Claim Rule Type select Send LDAP Attributes as Claims. Click Next.
  12. In the Configure Claim Rule page, input any name for the Claim rule name field ("Bridge Claim Rules" will work fine). \
  13. In the drop downs below LDAP Attribute,  select the attribute you'd like to pass as unique identifier in Bridge.  Many clients select either email or employee ID. In the Outgoing Claim Type, select NameID. Click Finish.
  14. Navigate to your Metadata Page, usually accessed at: https://server/federationmetadata/2007-06/federationmetadata.xml when logged into your ADFS service.
  15. Anywhere on the resulting page from Step 14, right click and select Save As.  Make note of where you are saving this file, and if needed adjust the  folder or the name so you can find the file again. Click Save in the resulting window.
  16. Send the file created in Step 15 to your implementation consultant.

Bridge Side

  1. Your  implementation consultant will extract the necessary fields from the  ADFS metadata URL or generated XML file and input into the back-end of  Bridge.
  2. Your implementation consultant will update the account  settings and notify you that the integration is complete. From this  point you should test the integration.

Testing

To  test configuration, attempt to log in from a couple user accounts  across the company. If the integration is successful the user should  either see the My Learner Dashboard or the Admin Dashboard, depending on  the user's assigned permissions.

After  testing is over, tell your implementation consultant whether or not  you'd like just-in-time provisioning off or on. Just-in-time  provisioning instantly creates a user in the system if Bridge cannot  find the identifier passed by ADFS amongst existing Bridge users.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request