SSO: Active Directory Federation Services
  • 2 Minutes to read
  • Dark
    Light

SSO: Active Directory Federation Services

  • Dark
    Light

Article summary

In order to use this feature, be sure to enable external authorization for your account.
These instructions assume that you are using ADFS 2.0 with Rollup 2 hotfix installed, or ADFS 3.x 

The process for setting up ADFS SSO consists of five steps:

  1. Download and edit the metadata file. 
  2. Modify the web.config file.
  3. Add a Relying Party Trust.
  4. Edit the Claim Rules.
  5. Provide Federation Metadata to SmarterU.

Downloading and Editing the Metadata File

To download and edit the metadata file: 

  1. Navigate to https://integrations.smarteru.com/resources/saml/smarterumetadata.xml
  2. Right click on the page and save the file. 
  3. Open the file using Notepad.
  4. Replace the existing entityID value with: 
https://integrations.smarteru.com/<AccountID>

Where <AccountID> is replaced with your account's ID. 

You can find your account's ID by logging into SmarterU and looking at the URL.

For example, if your account's ID is 1234, your metadata file would look as follows. 

  1. Save the changes to the file. 

Modifying web.config File

To modify the web.config file:

  1. Navigate to the /adfs/ls/ directory on IIS web server.
  2. Verify that <useRelayStateForIdpInitiatedSignOn enabled="true" /> exists as a child element to <microsoft.identifyServer.web>.

Adding a Relying Party Trust

To add a relying party trust, do the following from AD FS 2.0:

  1. Right-click on Relying Party Trusts.
  2. Select Add Relying Part Trust

  1. Click Start
  2. At the Select Data Source step:
    1. Select the Import data about the relying party from a file option.
    2. Click Browse.
    3. Navigate to the location of the metadata file that you downloaded in the Downloading and Editing the Metadata File step.
    4. Click Next.

  1. At the Specify Display Name step:
    1. In the Display Name field, enter a display name for the relying party.
    2. In the Notes field, enter a description for the relying party.
    3. Click Next.

  1. At the Choose Issuance Authorization Rules step:
    1. Select the Permit all users to access this relying party option.
    2. Click Next.

  1. At the Ready to Add Trust step, click Next.
  2. At the Finish step:
    1. Ensure that Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is selected.
    2. Click Close. The Edit Claim Rules for SmarterU window displays. 

  1. Continue to the Editing the Claim Rules section.

Editing the Claim Rules

To edit the claim rules for SmarterU:

  1. Click Add Rule. The Add Transform Claim Rule Wizard window displays.
  2. From the Claim Rule Template list, select Send LDAP Attributes as Claims.

  1. Click Next.
  2. In the Claim Rule Name field, enter a name for the claim rule.
  3. From the Attribute Store list, select Active Directory.
  4. In the Mapping of LDAP Attributes to outgoing claim types section, specify the following:

LDAP Attribute

Outgoing Claim Type

E-Mail-Addresses

Name ID

GivenName

Given Name

Surname

Surname

Graphical user interface, application  Description automatically generated

  1. Click Finish
  2. Click OK.

At this point, your system should be ready to use SAML SSO with SmarterU. You may need to add SmarterU to your trusted sites to prevent the browser from prompting for credentials.

Providing Federation Metadata to SmarterU

SmarterU does not currently have an interface where you can complete the setup independently. 

To provide your federation metadata to SmarterU:

  1. Navigate to /federationmetadata/2007-06/federationmetadata.xml on the webserver. 
  2. Copy the source code of this page to your SmarterU SAML 2.0 settings

After setup is complete on SmarterU, your users will be able to use SSO by navigating to:

https://{YOUR_WEBSITE}/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dintegrations.smarteru.com%26RelayState%3Dhttps%253A%252F%252Fintegrations.smarteru.com%252Fintegrations%252FADFS%252FSSO%252F

The URL has been double URL encoded to contain the relying party identifier and end point. If you've changed the identifier, re-generate the URL.


Was this article helpful?