Bridge uses a number of different authentication protocols for security of the Bridge system including Bridge Basic authentication, SAML, CAS and LDAP. Setting up ADFS to send assertions to Bridge through SAML is a great way to manage users and security for your system. In this configuration you can set up a Relying Party Trust to send a specific user attribute housed in ADFS to match or create a user with that attribute as the unique identifier for the user account in Bridge.
- A configured ADFS 2.0 server.
- The desired Bridge unique identifier configured as a LDAP Attribute in the ADFS server.
- A Bridge-provided XML file for Relying Party Trust configuration.
- An ADFS generated XML file resulting from the configured Relying Party Trust.
Your Bridge implementation consultant will use the following fields to create the SAML configuration generated or pulled from the ADFS generated XML file:
- SAML IdP Entity ID (Required)
- SAML Certificate Fingerprint (Required)
- This field is generated by the implementation consultant using the X.509 certificate in the ADFS generated XML file.
- SAML Single Sign On URL (Required)
- SAML Single Logout URL
- SAML Logout Redirect URL
- SAML NameId Format
- SAML Authentication Context
Steps for Configuration
- Provide your implementation consultant or CSM with your ADFS metadata URL. This willenable the IC or CSM to supply in return a Bridge metadata URL and/or an XML configuration file for your root or subaccount.
- Click Start, point to Administrative Tools, and then click AD FS 2.0.
- Under AD FS 2.0\Trust Relationships, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
- On the Welcome page, click Start.
- On the Select Data Source page, select the second button next to "Import about the relying party from a file".
- Click Browse and select the file that was sent to you from your implementation consultant in Step 1. Click Next.
- On the Specify Display Name, create a name for the Relying Party Trust like "Bridge LMS". Click Next.
- On the Choose Issuance Rules, select the first option "Permit all users to access this relying party". Click Next.
- On the Ready to Add Trust page, select the Encryption tab. Click Remove to remove the certificate for encryption. Click Next.
- On the Finish page, click Close.
- An Add Transform Claim Rule Wizard window will likely pop up. You should be on the Choose Rule Type page. In the drop down below Claim Rule Type select Send LDAP Attributes as Claims. Click Next.
- In the Configure Claim Rule page, input any name for the Claim rule name field ("Bridge Claim Rules" will work fine). \
- In the drop downs below LDAP Attribute, select the attribute you'd like to pass as unique identifier in Bridge. Many clients select either email or employee ID. In the Outgoing Claim Type, select NameID. Click Finish.
- Navigate to your Metadata Page, usually accessed at: https://server/federationmetadata/2007-06/federationmetadata.xml when logged into your ADFS service.
- Anywhere on the resulting page from Step 14, right click and select Save As. Make note of where you are saving this file, and if needed adjust the folder or the name so you can find the file again. Click Save in the resulting window.
- Send the file created in Step 15 to your implementation consultant.
- Your implementation consultant will extract the necessary fields from the ADFS metadata URL or generated XML file and input into the back-end of Bridge.
- Your implementation consultant will update the account settings and notify you that the integration is complete. From this point you should test the integration.
To test configuration, attempt to log in from a couple user accounts across the company. If the integration is successful the user should either see the My Learner Dashboard or the Admin Dashboard, depending on the user's assigned permissions.
After testing is over, tell your implementation consultant whether or not you'd like just-in-time provisioning off or on. Just-in-time provisioning instantly creates a user in the system if Bridge cannot find the identifier passed by ADFS amongst existing Bridge users.