Microsoft ADFS

  • Updated on Mar 14, 2024
  • Published on Feb 29, 2024
  • 9 minute(s) read

Step by step guide to configure Microsoft ADFS as a SAML Identity Provider within Visma

Follow the steps below to configure ADFS as a SAML Identity Provider within Visma. Keep    Authentication Settings open in your browser while you access your ADFS server. You'll need to return to the Single Sign-On page to complete the    configuration steps.

Prerequisites

  • Microsoft Active Directory 3.0 with ADFS

  • Administrator in Active Directory

  • All of your users under your account in Visma will need a pre-existing account in ADFS            with exactly the same email address.

Configure Visma Single Sign-On app in ADFS

  1. On the                         Single Sign-On page go to section                         1.Upload the Visma metadata file into ADFS. This is the Visma Single Sign-On metadata information you’ll need to provide to ADFS to            configure Visma as a service provider.        

    AuthSettings_SSO_ADFS_Step1

  2.            The following provides information on creating a relying party trust manually and using federation metadata. To create a claims aware Relying Party            Trust manually you need Membership in                         Administrators, or equivalent, on the local computer as the minimum required to complete this procedure.        

               From                         ADFS Server, select                         Start > Administrative Tools > ADFS Management.                        
    Under Actions, click                         Add Relying Party Trust.        

    AuthSettings_SSO_ADFS_Step2

  3.            On the                         Welcome step, choose                         Claims aware. Click                         Start.        

    AuthSettings_SSO_ADFS_Step3

  4.            On the                         Select Data Source page, click                         Import data about the relying party from a file. Click                         Next.        

    AuthSettings_SSO_ADFS_Step4

  5.            On the                         Specify Display Name step, type a name in                         Display name. Under                         Notes type a description for this relying party trust. Click                         Next.        

    AuthSettings_SSO_ADFS_Step5

  6.            On the                         Choose Access Control Policy step select a policy:                         Permit everyone. Click                         Next.        

    AuthSettings_SSO_ADFS_Step6

  7.            On the                         Ready to Add Trust step, review the settings, and if everything seems correct click                         Next to save your relying party trust information.        

    AuthSettings_SSO_ADFS_Step7

  8.            On the                         Finish step, click                         Close button to exit the wizard.        

    AuthSettings_SSO_ADFS_Step8

To create claims Rules

  1. On the Single Sign-On page go to section                         2 .Configure Claims in ADFS and make sure you configure the same fields in ADFS.        

    AuthSettings_SSO_ADFS_Claims_Step1

  2. Come back to                         ADFS and                         Right-click the name of the Relying Party Trust that you created, and select                         Edit Claim Rules. On the                         Edit Claim Issuance Policy dialog, click                         Add Rule.

    AuthSettings_SSO_ADFS_Claims_Step2

  3. Select                         Send LDAP Attributes as Claims rule. Click                         Next.        

    AuthSettings_SSO_ADFS_Claims_Step3

  4. On the next screen, using                         Active Directory as your attribute store, do the following:        

    • For                                         Claim rule name, enter:                                         LDAP.                

    • From the                                         LDAP Attribute column, select                                         Surname.                

    • From the                                         Outgoing Claim Type, select                                         Surname.                

    Add a                        new Mapping of LDAP attributes:        

    • From the                                         LDAP Attribute column, select                                         Given-Name.                

    • From the                                         Outgoing Claim Type, select                                         Given Name.                

    • Click                                         Finish.                

    AuthSettings_SSO_ADFS_Claims_Step4

  5. Create another rule and this time select                         Transform an Incoming Claim as the template. Click                         Next.        

    AuthSettings_SSO_ADFS_Claims_Step5

  6. On the next screen, do the following:

    • For                                         Claim rule name, enter                                         Email Transform.                

    • Select                                         UPN as the                                         Incoming Claim Type.                

    • For                                         Outgoing Claim Type, select                                         Name ID.                

    • For                                         Outgoing Name ID Format, select                                         Email.                

    • Leave the rule to the                                        default of Pass through all claim values.

    Click                         OK.        

    AuthSettings_SSO_ADFS_Claims_Step6

  7.            Click                         OK to save the claim rules.        

    AuthSettings_SSO_ADFS_Claims_Step7

  8. You only need to do this step if the UPN claim does not contain the correct data.

    The                         Email Transform rule has the objective of mapping the email address of the user (that they will use to sign in) to the                         Name ID outgoing claim type. In the case of the ADFS server this demo application was setup on (see image below), that            respective email is contained in the                         UPN incoming claim type. This might be different on your ADFS server.        

    Edit the                         LDAP rule and add another mapping, from                         E-Mail-Addresses to                         E-Mail Address.        

    AuthSettings_SSO_ADFS_Claims_Step8

    8.1. Edit the                         Email Transform rule and change the Incoming claim type from                         UPN to                         E-Mail Address. Click                         OK.        

    AuthSettings_SSO_ADFS_Claims_Step8.1

Configure ADFS in Visma Single Sign-On

You can find your         ADFS Federation Metadata file URL on the ADFS server through the         ADFS Management in ADFS > Service > Endpoints and go to the         Metadata section. It should look like this: https://adfstest.net/FederationMetadata/2007-06/FederationMetadata.xml.

  1. Paste this metadata in Authentication settings section                         3. Paste ADFS metadata URL into Visma and click                         Preview data, or if you have a file you can upload it in the OR section using the                         Select file to preview data button.        

    AuthSettings_SSO_ADFS_ConfigureVisma_Step1

  2. Continue with your Advanced configuration and click                         Save.        

Testing Single Sign-On after Visma has made its configuration

To make sure SSO is working, perform these steps

  1. To test SSO access either go to:                         https://<yourdomain>/adfs/ls/idpinitiatedsignon.htm or go to your Visma MyDomain            e.g. https://example.my.connect.visma.com directly, and then click the                         Sign in with ADFS button.        

AuthSettings_SSO_ADFS_Test_Step1