ADFS (SAML): How to set up authentication.

We now support ADFS, which is becoming popular as a single sign-on method used by many organisations. 

Setting up ADFS

Please follow the following steps to setup your ADFS instance with the new relying party trust, which handles the requests from our system:

  1. Set up a new Relying Party Trust using SP metadata as set out below. When asked for the metadata URL, you should use our Service Provider (SP) metadata URL:

    https://yoursystemaddress.roombookingsystem.co.uk/saml/module.php/saml/sp/metadata.php/yoursystemaddress.roombookingsystem.co.uk

    Please make sure to replace both instances of yoursystemaddressin the URL with your own system name - this is the part that comes before roombookingsystem.co.uk in the URL for your Room Booking System.

    To set up the trust:

    Server 2012 R2 onwards:  https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust#to-create-a-claims-aware-relying-party-trust-using-federation-metadata

    Server 2008:  https://technet.microsoft.com/en-us/library/adfs2-help-how-to-add-a-relying-party-trust(v=ws.10).aspx


    NOTE: Servers not utilising the TLS1.2 protocol by default will see the following error: You can find instructions on correcting this in the "Enabling Strong Authentication for .NET Applications" section of this article: 
    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications
  2. When you reach the Finish step, tick the "Open the edit claim rules dialog for this relying party trust when the wizard closes" box to start editing the rule once you're finished.
  3. Click Add Rule under the Issuance Transform Rules tab. When asked which template to use, select "Send LDAP Attributes as Claims". Set a name for the rule, then set the Attribute store to Active Directory. Under the attribute map section, set up the following:

    LDAP Attribute Outgoing Claim Type
    Department eduPersonAffiliation
    Given-Name givenName
    E-Mail-Addresses email
    SAM-Account-Name eduPersonPrincipalName
    Surname sn
    NOTE: If you are running ADFS 2, you'll need to add one more claim here:

    LDAP Attribute Outgoing Claim Type
    User-Principal-Name UPN

    You might not find the Outgoing Claim Type in the drop down box, that's expected.

    The resulting rule should look something like this: c82516dafe51fdce9357ef0666a4c389.pngSave the rule by clicking Ok.

  4. Add another new rule, this time the template should be Transform an Incoming Claim. Set a Claim rule name for the rule, the Incoming claim type to UPN, the Outgoing claim type to Name ID and Outgoing name ID format to Transient Identifier7f097b57d70142cb83f0ed1b60d53adb.png
  5. You may want to set up a new Authorisation Claim Rule to stop certain users being able to access the Room Booking System (e.g. students). You can find guides on authorisation rules below:
  6. Click Ok to save the rule to complete the setup of your ADFS server.

Setting up the Room Booking System with ADFS Authentication

Once the rule has been created, you can easily set up the ADFS authentication method which relies on our SAML support. 

Log in as an admin to your Room Booking System and navigate to  System Settings > Authentication.

Select SAML/ADFS Single Sign-on from the list of authentication methods then paste the entity ID (usually something like https://adfs.domain.co.uk/adfs/services/trust) and URL for metadata (usually something like https://domain/federationmetadata/2007-06/federationmetadata.xml) into the two boxes.

You can choose the other options depending how you would like to allow SAML to work on your system.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us