SAML integration with ADFS

SAML integration with ADFS

Active Directory Federation Services( ADFS ) is a Single Sign On solution created by Microsoft. ADFS manages authentication through a proxy service hosted between Active Directory (AD) and the target application. You must obtain the login URL, logout URL and the certificate from ADFS.
  1. Log in to the ADFS 3.0 server and open the management console.
  2. Right-click Service in the left-pane menu and choose Edit Federation Service Properties.
  3. Under General, make sure that your DNS entries and certificate names are correct.
  4. Using your Federation Service name, use a browser and go to  https://federationservicename.com/federationMetaData/2007-06/FederationMetaData.xml
    Example:
    The login URL and logout URL are present in the XML file as SingleSignOnService and SingleLogoutService tags
  5. Export the Token-Signing certificate:
    1. Right-click Certificate in the left-pane menu and click View Certificate.

    2. Select the Details tab.
    3. Click Copy to File. The Certificate Export Wizard will open.

    4. Click Next. Ensure the No, do not export the private key option is selected, and then click Next.
    5. Select Base-64 encoded X.509 (.cer), then click Next.

    6. Choose where to save the file and name it. Click Next.
    7. Select Finish. The instance requires that this certificate be in .cer or .pem format.
  6. Configure Single Sign-On URL and Entity ID URLs at Zoho.

Submit metadata at ADFS

Add a Relying Party Trust

  1. Under Trust Relationships in the left-pane menu, right-click Relying Party Trusts and select Add Relying Party Trust. This will open the Add Relying Party Trust Wizard.

  2. On the Select Data Source screen, select Enter data about the relying party manually.
  3. On the Specify Display Name screen, enter zoho.com as the display name.
  4. On the Choose Profile screen, select AD FS profile.
  5. On the Configure URL screen, check the Enable Support for the SAML 2.0 WebSSO protocol.
  6. Enter the ACS URL present in the metadata file you downloaded from Zoho in the Relying Party SAML 2.0 SSO service URL text box.

  7. On the Configure Identifiers screen, enter zoho.com as the Relying Party Trust Identifier.
  8. On the Configure Multi-factor Authentication Now screen, choose I do not want to configure multi-factor authentication settings for this relying party trust at this time.
  9. On the Choose Issuance Authorization Rules screen, select the Permit all users to access this relying party radio button.
  10. The wizard will display an overview of your settings on the next two screens. On the final screen, click Close to exit and open the Claim Rules editor.

Creating Claim rules

You can create claim rules once the relying party trust is created. By default, the claim rule editor opens once you create a trust.
  1. Click Add Rule to create a new rule. This will launch the Add Transform Claim Rule Wizard.

  2. On the Choose Rule Type screen, select Send LDAP Attributes as Claims in the drop-down menu. Click Next.
  3. On the Configure Claim Rule screen:
    1. Enter a Claim rule name.
    2. Choose Active directory from the drop-down menu for the Attribute Store.
    3. On the LDAP Attribute column, choose E-Mail Addresses from the drop-down menu.
    4. On the Outgoing Claim Type column, select E-Mail Address from the drop-down menu.
  4. Click Finish to save the rule.

  5. Create another claim rule and select the Transform an Incoming Claim template.
  6. On the Configure Claim Rule screen:
    1. Enter a Claim rule name.
    2. Choose E-Mail Address as the Incoming claim type from the drop-down menu.
    3. Select Name ID as the Outgoing claim type from the drop-down menu.
    4. Select Email as the Outgoing name ID format.
  7. Select the Pass through all claim values radio button
  8. Click Finish to create the claim rule.

  9. If you have selected Do you need Logout Response? at Zoho:
    1. Download the logout certificate from Zoho Accounts in the SAML Authentication section under Settings.
    2. Go to Relying Party Trust under Trust Relationships and select zoho.com.
    3. Go to Endpoints on the top navigation bar and click Add.
    4. Select the Endpoint type as SAML Logout.
    5. Enter the logout URL generated from the metadata file you downloaded from your Zoho account.
    6. Go to Signature on the top navigation bar and click Add.
    7. Upload the logout certificate.
    8. Go to Advanced on the top navigation bar.
    9. Select the Secure hash algorithm as SHA-256.

    • Related Articles

    • Configuring ADFS for Zoho Desk with SAML

      Zoho Desk supports SAML 2.0 (Security Assertion Markup Language 2.0), which allows for the use of SSO (Single Sign-On) using enterprise identity providers such as Active Directory. Enabling SSO via SAML 2.0 means that user authentication is handled ...

    • SAML integration

      Zoho supports various Identity Providers (IdP) to configure SAML based Single Sign On (SSO) for your Zoho account. Learn how to configure SAML with: Google OneLogin Azure ADFS Okta

    • Custom Authentication with ADFS

      Custom Authentication with ADFS enables SAML-based single sign-on (SSO) from ADFS to Zoho One. With SSO, you and your employees can sign in to ADFS and access Zoho One directly, without having to sign in to Zoho One. To set up custom authentication ...

    • SAML integration with OneLogin

      OneLogin uses IAM to secure user access to applications and devices and increases end-user productivity through SSO. You must obtain the login URL, logout URL, and the certificate from OneLogin. You can do this in two ways: Either use the SAML Test ...

    • SAML integration with Google

      Google IdP is a user management platform for Google Apps and services. Sign in as administrator to your Google Admin console. Click Apps. Click SAML Apps. Click the plus (+) icon in the bottom corner of the screen. Click SET UP MY OWN CUSTOM APP at ...