Active Directory Federation Services (AD FS) is a technology that extends your Active Directory configuration to services outside of your infrastructure.
This guide was done in Windows Server 2012 Standard, although other recent versions of Windows should work just fine with Blissbook.
- Add a Relying Party Trust
- Edit the Claims Rules for the Relying Party Trust
- Edit Relying Party Trust Properties
- Export the Certificate
Add a Relying Party Trust
1 - From the AD FS console > Trust Relationships > Relying Party Trusts, Click the Add Relying Party Trust… link.
2 - Click Start to begin the wizard.
3 - Select “Enter data about the relying party manually,” then click Next.
4 - Enter “Blissbook” as the Display name for the Relying Party Trust, then click Next to continue.
5 - Select “AD FS profile,” then click Next.
6 - You will not need a token encryption certificate, so click Next to continue.
7 - Check the “Enable support for the SAML 2.0 WebSSO protocol” box, then click Next. Enter the URL in the following format, replacing “my-subdomain” with your Blissbook subdomain: https://my-subdomain.blissbook.com/auth/adfs.
8 - Add your Blissbook subdomain as the Relying party trust identifier, then click Next.
9 - Select “I do not want to configure multi-factor authentication settings for this relying party trust at this time.” Then click Next.
10 - Select “Permit all users to access this relying party,” then click Next.
11 - Review your settings, then click Next.
12 - Click Close to finish the wizard.
Edit the Claims Rules for the Relying Party Trust
1 - Click on "Add Rule…".
2 - Select “Send LDAP Attributes as Claims,” then click Next.
3 - Enter “Get Attributes” as the Claim rule name.
4 - Select “Active Directory” as your Attribute store.
5 - Select “E-Mail-Addresses” as the LDAP Attribute and “E-Mail Address” as the Outgoing Claim Type.
6 - Select “Display-Name” as the LDAP Attribute and “Name” as the Outgoing Claim Type.
7 - Click on Finish.
8 - Click on Add Rule… again.
9 - Select “Transform an Incoming Claim,” then click Next.
10 - Enter “Name ID Transform” as the Claim rule name.
11 - Select “E-Mail Address” as the Incoming claim type.
12 - Select “Name ID” as the Outgoing claim type.
13 - Select “Email” as the Outgoing name ID format.
14 - Click Finish.
15 - Click OK.
Edit Relying Party Trust Properties
1 - Right click on your new Relying Party Trust (Blissbook), then click on Properties.
2 - From the Properties window, select the Advanced tab.
3 - Change the Secure hash algorithm to “SHA-1,” then click OK.
Export the Certificate
1 - From AD FS > Service > Certificates, right click on your Token-signing certificate and click on View Certificate….
2 - Go to the Details tab.
3 - Click on Copy to File….
4 - When the wizard starts, click Next.
5 - Select “DER encoded binary X.509 (.CER)” as the format, then click Next.
6 - Choose a location to save your certificate by clicking on Browse…, and then click Next.
7 - Click Finish to end the wizard.
8 - Click OK if the export was successful.
9 - Now we’ll need to convert the certificate from DER format to PEM. Go to sslshopper.com, then click on “SSL Converter – Convert SSL Certificates to different formats."
10 - Select your certificate from the Browse… button.
11 - Select “DER/Binary” in the Type of Current Certificate drop down menu.
12 - Select “Standard PEM” from the Type To Convert To drop down menu.
13 - Click Convert Certificate.
14 - Open your certificate with a text editor (e.g. Notepad) and copy the contents.
15 - Login to your Blissbook account, then go to your Single Sign-On settings (click ORGANIZATION in the main nav, click the settings slider icon in the left nav, look for the "Via Single Sign-On (SSO)" section), then click the Enable SSO button. Choose Active Directory via AD FS.
16 - Paste your certificate within the X.509 Certificate field. Above it, enter your Login URL. Typically it’s the URL to your AD FS service with /adfs/ls/ appended to it.
All done! Grab yourself a handful of Oreos and celebrate!