ADFS SSO
ADFS SSO is an advanced authentication method that enables users to access multiple applications and services using a single set of credentials. Instead of juggling numerous login details, users can authenticate once and seamlessly navigate through different resources without the hassle of repeated logins. For Active directory, ADFS role needs to be installed on the AD server.
Configure SSO in SureMDM
To configure SSO with ADFS, follow these steps:
Login to the SureMDM Web Console as a Superuser.
Navigate to SureMDM Web Console > Settings > Account Settings > Enterprise Integrations > SAML Single Sign-On.
Configure Single Sign-On settings for ADFS.
| Settings | Description |
|---|---|
| Enable Single Sign-On | Select this option to allow configuring Single Sign-On settings. |
| Select Identity Provider (IdP) | Select ADFS. |
| Service Identifier | Enter the Service Identifier URL. See how to obtain Federation Service Identifier URL. |
| Sign On Service Url | Enter the URL for the Sign On Service URL. See how to obtain ADFS Service URL. |
| Logout Service Url | Enter the URL for logout. *Note: Generally, the URLs for the Sign On Service Url and Logout Service Url will be the same.* |
| Roles | Choose an option for the Roles from the drop-down menu. To know more, see Configure Permissions for Role-Based Admin. |
| Device Group Set | Choose an option for Device Group Set from the drop-down menu. To know more, see Configure Permissions for Device Group Set Based Admin. |
| Jobs/Profiles Folder Set | Choose an option for Device Group Set from the drop-down menu. To know more, see Configure Permissions for Job Folder Set Based Admin. |
Click Generate Certificate to generate a self-signed certificate on the server and make it ready for download.
or
Click Upload Certificate to upload another certificate.
These options are available when no certificate is uploaded.
Click Delete Certificate or Download Certificate to delete or download the already uploaded self-signed certificate.
Obtain ADFS Service URL
To obtain the ADFS Service URL, on the AD FS Console ( Server Manager > ADFS > Tools > ADFS Management), expand Service and click End Point. Note down the URL Path for SAM 2.0 and prefix it with the machine endpoint.
Obtain Federation Service URL
To obtain the Federation Service URL, on the AD FS Console, right-click the Service and then select Edit Federation Service Properties. Note down the URL mentioned in the Federation Service identifier field.
Configure settings in ADFS server
To configure settings in ADFS server, follow these steps:
Remote Desktop Protocol (RDP) or login into ADFS Server.
Launch the AD FS Console from Server Manager, then click on Tools > AD FS Management.
Click Relying Party Trusts > Add Relying Party Trust.
Select Claims Aware and click Start.
Select Enter data about relying party manually and click Next.
Enter the Name as SureMDM and click Next.
In the Configure Certificate section, browse the certificate (adfs_xxxxxxx.cer) downloaded in step no.4, Configure SSO with ADFS.
Select Enable support for the SAML 2.0 WebSSO protocol and enter the URL as
https:// (SureMDM Server Path)/console/ssoconsumer/(Encrypted MDM Account ID)
Admin should enter their SureMDM Server Path and Account ID into the above-mentioned URL. To get the encrypted account ID, follow these steps:
Navigate to the SureMDM Console > Account Settings > Enterprise Integrations > SAML Single Sign-On.
On the SAML Single Sign-On screen, locate the Assertion URL to get the Encrypted Account ID.
Enter urn:42gears:suremdm:SAML2ServiceProvider in Relying party trust identifier field and click Add.
Select Permit everyone or select an option from the list and click Next > Close.
In the AD FS Console, right-click SureMDM and select Properties.
Select the Signature tab and click Add.
Select the certificate (adfs_xxxxxxx.cer) downloaded in Configure SSO with ADFS,step no.4 and click Apply.
Select the Endpoints tab and click Add SAML.
Select Endpoint type as SAML Logout and Trusted URL as
https:// (SureMDM Server Path)/console/ssoconsumer/(Encrypted MDM Account ID)
Admin should enter their SureMDM Server Path and Account ID into the above-mentioned URL. To get the encrypted account ID, follow these steps:
Navigate to the SureMDM Console > Account Settings > Enterprise Integrations > SAML Single Sign-On.
On the SAML Single Sign-On screen, locate the Assertion URL to get the Encrypted Account ID.
Click OK.
In the Edit Claim Issuance Policy prompt, click Add Rule.
Click Next.
In the Claim rule name field enter SureMDM, select Attribute store as Active Directory and choose the mappings for LDAP Attribute and Outgoing Claim Type and click Finish.
Click OK.
Use the URL https://42gears.suremdm.io/console/ssologin/(SureMDM Account ID)for SSO user login.
Admin should enter their Server URL and Account ID into the above-mentioned URL.