Configuring Windows Server with AD FS for GoodData SAML SSO

Related Tags: sso integration

A variety of identity providers can be used with GoodData. In this article, we’ll describe how you can use Active Directory Federation Services (AD FS) for the security token service. For information on configuring the identity provider using SAML, see SAML SSO with GoodData.

The information in this article covers a SAML 2.0 SSO setup and is based on Windows 2012 R2 Standard edition with AD FS 2.0 serving as an identity provider.

IMPORTANT! To create this article, we set up a lab environment, with all the devices in their default configuration. The steps described in this article include making changes in Active Directory Domain Services and must be performed by skilled personnel only. Make sure that you are confident in executing the task and understand the potential impact that any step may have on your system.

Prerequisites

Before you start, make sure you have the following in place:

  • Windows Server
  • Active Directory Domain Services
  • AD FS 2.0 or higher
  • DNS
  • SSL Certificate (if you don’t have a certificate, you can generate a self-signed certificate using IIS; you can use a self-signed certificate for testing)

Process

Step 1. Run the AD FS configuration

  1. Open Server Manager, and click AD FS.
  2. Click More… on the notification bar.
    The AD FS configuration wizard opens to the Welcome page.
  3. Select Create the first federation server in a federation server farm. Click Next.
    You are prompted to select the user to configure AD FS.
  4. Select the user. The user must privileges to configure AD FS. Click Next.
    You are prompted to specify the service properties.
  5. Choose the SSL certificate and the federation service, and enter the preferred display name of the federation service. Click Next.
    You are prompted to specify the service account.
  6. Select Use an existing domain user account… , and enter the service account details. Click Next.
    You are prompted to specify the database.
  7. Select Create a database on this server using Windows Internal Database. Click Next.
    The wizard shows you the options you have specified so far for your review.
  8. Review the options, and click Next.
    You are prompted to check the prerequisites.
  9. Click Next.
    The prerequisite check runs. A success message is displayed.
  10. Click Configure.
    The wizard closes. The configuration is complete.

Step 2. Add a relying party trust to the AD FS configuration database

Before you start, download the XML configuration file from https://developer.gooddata.com/downloads/sso/GoodDataSP.xml.

This file contains configuration parameters for setting up a relying party trust on your side.

NOTE: If you site is white-labeled, replace all instances of ‘https://secure.gooddata.com’ with your white label URL in the XML configuration file.

  1. Run the AD FS management application.
  2. Click Action > Add Relying Party Trust.
    The relying party trust wizard opens to the Welcome page.
  3. Click Start.
    You are prompted to specify the source of data for the relying party.
  4. Select Import data about the relying party from a file, and specify the path to the downloaded XML file.
  5. Click Next.
    You are prompted to enter the the preferred display name of the relying party trust.
  6. Enter the name (for example, ‘gooddata.com’). Click Next.
    You are prompted to configure multi-factor authentication.
  7. Select I do not want to configure multi-factor authentication settings… . Click Next.
    You are prompted to define user permissions.
  8. Select Permit all users to access this relying party. Click Next.
    The wizard shows you the options you have specified so far for your review.
  9. Review the options, and click Next.
    The relying party trust is added to the AD FS configuration database.
    You have the option to edit claim rules for the relying party trust.
  10. Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. Click Close.
    The wizard closes. The dialog for editing claim rules opens.

Step 3. Add transform claim rules to the relying party trust

At this step, you are going to add two transform rules.

IMPORTANT! Make sure you are adding the rules in the order that is described in this step. The rules will be executed in this order. Changing the order will result in different mapping output.

  1. In the dialog for editing claim rules, click Add Rule… .
    The wizard for adding rules opens.
  2. Select Send LDAP Attributes as Claims for the rule template. Click Next.
    You are prompted to configure the rule.
  3. Do the following:
    1. Enter the rule name (for example, ‘email to email’).
    2. For the attribute store, select Active Directory.
    3. Map LDAP attributes to outgoing claim types like the following:
      E-Mail-Addresses <-> Email Address
  4. Click Finish.
    The wizard for adding rules closes. The dialog for editing claim rules is shown with the rule that you have just added.
  5. Click Add Rule… .
    The wizard for adding rules opens.
  6. Select Transform an incoming claim for the rule template. Click Next.
    You are prompted to configure the rule.
  7. Do the following:
    1. Enter the rule name (for example, ‘email to nameid’).
    2. For the incoming claim type, select Email address.
    3. For the outgoing claim type, select Name ID.
    4. For the outgoing name ID format, select Email.
    5. From the option buttons, select Pass through all claim rules.
  8. Click Finish.
    The wizard for adding rules closes. The dialog for editing claim rules is shown. There are two rules that you have added in the following order:
    1. email to email
    2. email to nameid
  9. In the dialog for editing claim rules, click OK to save and apply your changes.

Step 4. Specify the response signature

Open the PowerShell console, and run the following command:

Set-ADFSRelyingPartyTrust -TargetIdentifier "secure.gooddata.com" -Identifier "secure.gooddata.com" -SamlResponseSignature 'MessageAndAssertion'

This command specifies the response signatures that the relying party expects.

Step 5. Download federation metadata

  1. Open a browser, and go to https://localhost/FederationMetadata/2007-06/FederationMetadata.xml.
  2. Save the XML file on your computer.
  3. Send the XML file to GoodData Support at support@gooddata.com.

After we receive this information from you, we will deploy the SSO provider on our side. This usually takes several working days.

We will contact you when we complete the deployment. Please wait for our response before proceeding to the next step.

Step 6. Finalize the configuration

NOTE: Perform this step only after GoodData has deployed the SSO provider on its side and a Support specialist has contacted you.

The Support specialist should have sent you the value of the ssoProvider parameter that you are going to need for this step.

  1. Using the user provisioning API, set the ssoProvider parameter for the GoodData user to the value that you received from GoodData Support.
  2. Open a browser, and go to https://localhost/adfs/ls/idpinitiatedsignon.aspx.
  3. Click Sign in to one of the following sites:, and select the relying party trust that you configured in Step 2 (in our example, it’s ‘gooddata’). Click Sign in.
  4. If prompted, use your AD user account to log in to GoodData.

    NOTE: Your GoodData login email and the email set for your user in AD must match.

You now have an AD FS SSO implementation for GoodData.