Schoolzilla

Setting up Active Directory Federation Services via SSO/SAML

Requirements:

  • ADFS 2.0
  • ADFS Rollup 2.0
  • SSL Certificate

ADFS setup:

  1. Make sure you have ADFS 2.0 installed
  2. Before you start, you need to make sure you have the correct version of ADFS installed on your server. Schoolzilla requires that you use ADFS 2.0. A quick way to check if you have ADFS is to navigate to Start, click All Programs and then select Administrative Tools, then look for AD FS 2.0 Management.

    If you don’t not have the correct version, you can find it here: http://www.microsoft.com/en-us/download/details.aspx?id=10909

    Note: ADFS 1.1 is available as a server role in Windows Server 2008 and Windows Server 2008 R2. This version is not compatible with SAML 2.0 and will not work for SSO with Schoolzilla. If the ADFS 1.1 role was installed then you will need to uninstall it prior to installing ADFS 2.0.

  3. To use IdP-initiated authentication into Schoolzilla’s web application, you'll need to install Update Rollup 2 for ADFS 2.0: http://support.microsoft.com/kb/2681584.
  4. Once you have installed Update Rollup 2 for AD FS 2.0 package and restarted the ADFS service, you must add a line to the web.config file in order for the feature to become active. Perform the following steps:

Create a New Relying Party Trust:

  • Open the ADFS 2.0 Management console and select Relying Party Trusts.
  • Select Add Relying party Trust… from the top right corner of the window.
  • The add wizard appears.
  • Click Start to begin.
  • Select Enter data about the relying party manually.
  • Give it a display name, such as Schoolzilla, and enter any notes you want.
  • Select ADFS 2.0 Profile.
  • Do not select a token encryption certificate.
  • Do not enable any settings on the Configure URL.
  • Enter the Relying Party Trust Identifier ‘saml2/sp/metadata.php/services’ and click Add
  • Permit all users to access this relying party.
  • Click Next on the Ready to Add Trust page
  • Clear the 'Open the Claims when this finishes' check box and click Close.
  • The Relying Party appears in the window.

Configure the Relying Party Trust:

  • Right-click on the Relying Party Trust and select Properties.
  • Browse to the Endpoints tab and Add a SAML Assertion Consumer endpoint with the following properties:
  • Endpoint Type: SAML Assertion Consumer
  • Binding: POST
  • URL: Your Schoolzilla SSO URL (see https://app.schoolzilla.com/sso/setup/saml for your Schoolzilla SSO URL)
  • Add a second, SAML Logout endpoint with the following properties
  • Endpoint Type: SAML Logout
  • Binding: POST
  • URL: https://app.schoolzilla.com/logout

Claim Transformation:

  • Right-click on the Relying Party Trust that you set up in the previous step and select Edit Claim Rules….
  • On the Issuance Transform Rules tab click Add Rule….
  • Create a rule to get LDAP attributes:
    • Select Send LDAP Attribute as Claims as the claim rule template to use.
  • Give the Claim a name like 'Get LDAP Attributes.''
  • Set the Attribute Store to Active Directory

Mapping of LDAP Attributes to Outgoing Claim Types:

  • E-Mail-Addresses (LDAP Attribute) : E-mail Address (Outgoing Claim Type)
  • Given-Name (LDAP Attribute) : User.FirstName (Outgoing Claim Type) (type directly into the box)
  • Surname (LDAP Attribute) : User.LastName (Outgoing Claim Type) (type directly into the box)
  • Click Finish.

  • Create a new rule to pass Email Address as the Name ID:
  • Click Add Rule….
  • Select Transform an Incoming Claim as the claim rule template to use.
  • Give it a name like ‘Email to Name ID.’
  • Set the Incoming Claim Type to E-mail Address (it must match the Outgoing Claim Type above)
  • Set the Outgoing Claim Type to Name ID
  • Set the Outgoing Name ID Format to Transient Identifier
  • Select Pass through all claim values
  • Click Finish.

Register your IdP info:

Once you've finished configuring ADFS, download your IdP metadata from https:// [yourADFSdomain]/Federationmetadata/2007-06/FederationMetadata.xml

Upload this metadata file to the ‘IdP metadata’ section at https://app.schoolzilla.com/sso/setup/saml. Click Save. You are now set up to test authenticating to Schoolzilla using Single Sign-On.

IdP-initiated Authentication:

To initiate authentication into Schoolzilla’s web application from ADFS, you must append a fully URL-encoded Relay State to your ADFS Idp-initiated Signon Link:

  • Your ADFS Idp-Initiated Signon Link:
  • https: //[yourADFSDomain]/adfs/ls/idpinitiatedsignon.aspx
  • URL-encoded Relay State:
  • ?
    RelayState=RPID%3dsaml2%2fsp%2fmetadata.php%2fservices%26RelayState%3d%2fsaml2%2f[yourCustomerID]
  • Complete URL for Idp-Initiated Signon:
  • https: //[yourADFSDomain]/adfs/ls/idpinitiatedsignon.aspx? RelayState=RPID%3dsaml2%2fsp%2fmetadata.php%2fservices%26RelayState%3d%2fsaml2%2f [yourCustomerID]

Service Provider-initiated Authentication:

To initiate authentication from Schoolzilla’s website, visit one of two URLs: