ADFS (SAML): How to set up authentication.
We now support ADFS, which is becoming popular as a single sign-on method used by many organisations.
Setting up ADFS
Please follow the following steps to setup your ADFS instance with the new relying party trust, which handles the requests from our system:
- Set up a new Relying Party Trust using SP metadata as set out below. When asked for the metadata URL, you should use our Service Provider (SP) metadata URL:
https://yoursystemaddress.roombookingsystem.co.uk/saml/module.php/saml/sp/metadata.php/yoursystemaddress.roombookingsystem.co.uk
Please make sure to replace both instances of yoursystemaddress in the URL with your own system name - this is the part that comes before roombookingsystem.co.uk in the URL for SchoolCloud Room Booking.
To set up the trust:
Server 2012 R2 onwards: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust#to-create-a-claims-aware-relying-party-trust-using-federation-metadata
Server 2008: https://technet.microsoft.com/en-us/library/adfs2-help-how-to-add-a-relying-party-trust(v=ws.10).aspx
NOTE: Servers not utilising the TLS1.2 protocol by default will see the following error:
You can find instructions on correcting this in the "Enabling Strong Authentication for .NET Applications" section of this article:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications - When you reach the Finish step, tick the "Open the edit claim rules dialog for this relying party trust when the wizard closes" box to start editing the rule once you're finished.
- Click Add Rule under the Issuance Transform Rules tab. When asked which template to use, select "Send LDAP Attributes as Claims". Set a name for the rule, then set the Attribute store to Active Directory. Under the attribute map section, set up the following:
LDAP Attribute Outgoing Claim Type Department eduPersonAffiliation Given-Name givenName E-Mail-Addresses email SAM-Account-Name eduPersonPrincipalName Surname sn NOTE: If you are running ADFS 2, you'll need to add one more claim here:
LDAP Attribute Outgoing Claim Type
User-Principal-Name UPN You might not find the Outgoing Claim Type in the drop down box, that's expected.
The resulting rule should look something like this:
Save the rule by clicking Ok. - Add another new rule, this time the template should be Transform an Incoming Claim. Set a Claim rule name for the rule, the Incoming claim type to UPN, the Outgoing claim type to Name ID and Outgoing name ID format to Transient Identifier.
- You may want to set up a new Authorisation Claim Rule to stop certain users being able to access Room Booking (e.g. students). You can find guides on authorisation rules below:
- Click Ok to save the rule to complete the setup of your ADFS server.
You can find instructions on correcting this in the "Enabling Strong Authentication for .NET Applications" section of this article:
Setting up Room Booking with ADFS Authentication
Once the rule has been created, you can easily set up the ADFS authentication method which relies on our SAML support.
Log in to Room Booking as an admin and navigate to Settings > System Settings > Authentication.
Select SAML/ADFS Single Sign-on from the list of authentication methods then paste the entity ID (usually something like https://adfs.domain.co.uk/adfs/services/trust) and URL for metadata (usually something like https://domain/federationmetadata/2007-06/federationmetadata.xml) into the two boxes.
Enable the SAML Enabled and Enable SP Initiated Login options.
We recommend enabling Automatically Create New Users for testing purposes during this setup, even if you don't intend on using it in practice. Generally, once you've tested sign-in, we recommend you to have this turned on.
