Skip to main content

AD FS SSO Integration Guide

Enable Single Sign-On using AD FS so employees can easily access their Blissbook account.

Written by Diane Marshall

Active Directory Federation Services (AD FS) is a technology that extends your Active Directory configuration to services outside of your infrastructure.

This guide was done in Windows Server 2012 Standard, although other recent versions of Windows should work just fine with Blissbook.

Note: AD FS is no longer the recommended path. Most customers use SAML 2.0 or a simple, generic Azure AD integration instead. You will not see an AD FS button in Blissbook unless you first contact our support team.

Outline

  • Add a Relying Party Trust

  • Edit the Claims Rules for the Relying Party Trust

  • Edit Relying Party Trust Properties

  • Export the Certificate

Add a Relying Party Trust

  1. From the AD FS console > Trust Relationships > Relying Party Trusts, click the Add Relying Party Trust… link.

AD FS console showing Trust Relationships, Relying Party Trusts, with the Add Relying Party Trust link in the Actions pane

  1. Click Start to begin the wizard.

Add Relying Party Trust wizard welcome screen with the Start button

  1. Select "Enter data about the relying party manually," then click Next.

Select Data Source step with the Enter data about the relying party manually option selected

  1. Enter "Blissbook" as the Display name for the Relying Party Trust, then click Next to continue.

Specify Display Name step with Blissbook entered in the Display name field

  1. Select "AD FS profile," then click Next.

Choose Profile step with the AD FS profile option selected

  1. You will not need a token encryption certificate, so click Next to continue.

  2. Check the "Enable support for the SAML 2.0 WebSSO protocol" box, then click Next. Enter the URL in the following format, replacing "my-subdomain" with your Blissbook subdomain: https://my-subdomain.blissbook.com/auth/adfs.

Configure URL step with the Enable support for the SAML 2.0 WebSSO protocol box checked and the Blissbook auth URL entered

  1. Add your Blissbook subdomain as the Relying party trust identifier, then click Next.

Configure Identifiers step with the Blissbook subdomain added as the Relying party trust identifier

  1. Select "I do not want to configure multi-factor authentication settings for this relying party trust at this time." Then click Next.

Configure Multi-factor Authentication step with the do-not-configure-MFA option selected

  1. Select "Permit all users to access this relying party," then click Next.

Choose Issuance Authorization Rules step with the Permit all users to access this relying party option selected

  1. Review your settings, then click Next.

Ready to Add Trust step showing a review of the configured settings

  1. Click Close to finish the wizard.

Finish step of the Add Relying Party Trust wizard with the Close button

Edit the Claims Rules for the Relying Party Trust

  1. Click Add Rule….

Edit Claim Rules dialog with the Add Rule button

  1. Select "Send LDAP Attributes as Claims," then click Next.

Choose Rule Type step with the Send LDAP Attributes as Claims template selected

  1. Enter "Get Attributes" as the Claim rule name.

Configure Claim Rule step with Get Attributes entered as the Claim rule name

  1. Select "Active Directory" as your Attribute store.

  2. Select "E-Mail-Addresses" as the LDAP Attribute and "E-Mail Address" as the Outgoing Claim Type.

  3. Select "Display-Name" as the LDAP Attribute and "Name" as the Outgoing Claim Type.

  4. Click Finish.

  5. Click Add Rule… again.

  6. Select "Transform an Incoming Claim," then click Next.

Choose Rule Type step with the Transform an Incoming Claim template selected

  1. Enter "Name ID Transform" as the Claim rule name.

Configure Claim Rule step with Name ID Transform entered as the Claim rule name

  1. Select "E-Mail Address" as the Incoming claim type.

  2. Select "Name ID" as the Outgoing claim type.

  3. Select "Email" as the Outgoing name ID format.

  4. Click Finish.

  5. Click OK.

Edit Relying Party Trust Properties

  1. Right click on your new Relying Party Trust (Blissbook), then click Properties.

Right-click context menu on the Blissbook Relying Party Trust with the Properties option

  1. From the Properties window, select the Advanced tab.

Properties window with the Advanced tab selected and the Secure hash algorithm dropdown

  1. Change the Secure hash algorithm to "SHA-1," then click OK.

Export the Certificate

  1. From AD FS > Service > Certificates, right click on your Token-signing certificate and click View Certificate….

AD FS Service Certificates list with the Token-signing certificate right-clicked and View Certificate option

  1. Go to the Details tab.

Certificate dialog with the Details tab selected

  1. Click Copy to File….

  2. When the wizard starts, click Next.

  3. Select "DER encoded binary X.509 (.CER)" as the format, then click Next.

Certificate Export Wizard with the DER encoded binary X.509 format selected

  1. Choose a location to save your certificate by clicking Browse…, and then click Next.

Certificate Export Wizard File to Export step with the Browse button for choosing a save location

  1. Click Finish to end the wizard.

Certificate Export Wizard completion screen with the Finish button

  1. Click OK if the export was successful.

  2. Convert the certificate from DER format to PEM. Go to sslshopper.com, then click "SSL Converter - Convert SSL Certificates to different formats."

SSLShopper homepage with the SSL Converter link

  1. Select your certificate using the Browse… button.

SSL Converter form with the Browse button used to select the certificate file

  1. Select "DER/Binary" in the Type of Current Certificate drop down menu.

  2. Select "Standard PEM" from the Type To Convert To drop down menu.

  3. Click Convert Certificate.

  4. Open your certificate with a text editor (e.g. Notepad) and copy the contents.

SSL Converter with Type of Current Certificate set to DER/Binary and Type To Convert To set to Standard PEM

  1. Log in to your Blissbook account, then go to your Single Sign-On settings: click ORGANIZATION in the main nav, click the settings slider icon in the left nav, look for the "Via Single Sign-On (SSO)" section, then click the Enable SSO button. Choose Active Directory via AD FS.

Blissbook SSO settings showing the Enable SSO button with the Active Directory via AD FS option

  1. Paste your certificate within the X.509 Certificate field. Above it, enter your Login URL. Typically it's the URL to your AD FS service with /adfs/ls/ appended to it.

All done! Grab yourself a handful of Oreos and celebrate.

Did this answer your question?