SSO With ADFS

This guide provides step-by-step instructions on how to configure single sign-on (SSO) with Active Directory Federated Services (ADFS). You already use ADFS to conveniently manage permissions to applications. After SSO configuration is complete, you'll be able to use ADFS to manage permissions to your databases.

Screenshots are from Windows Server 2016.

Prerequisites

Your ADFS server will need a valid TLS certificate.

These instructions vary based on your organization's StrongDM region (not your individual location).

Steps

Within Application Groups, add a new application group. From the Application Group Wizard's Welcome screen, select the client-server application template Server application accessing a web API. Provide a name and click Next.
In Server application, you'll be configuring the server application redirect URI. Save the client identifier; you will need this in the following steps. Add the redirect URI depending on your tenant location: https://app.strongdm.com/auth/return.
In Configure Application Credentials, select the checkbox for Generate a shared secret and save the secret for later.
In Configure Web API, add the client identifier you saved from the previous step.
In Configure application permissions, select the checkboxes for the following scope names:
1. allatclaims
2. aza
3. email
4. openid
5. profiile
In Summary, review the settings and click Next.
From the Add Transform Claim Rule Wizard's Configure Claim Rule screen, enable login by email instead of UPN. By default StrongDM will match your login email address to the UPN returned by ADFS. If you would prefer to use email, edit the Web API and add the following transformation rule as shown.
Next, enable ADFS in the StrongDM Admin UI in Settings > User Management. Click the lock to make changes, and then select Active Directory from the provider drop-down menu. Add your client details as shown and click activate.

Within Application Groups, add a new application group. From the Application Group Wizard's Welcome screen, select the client-server application template Server application accessing a web API. Provide a name and click Next.
In Server application, you'll be configuring the server application redirect URI. Save the client identifier; you will need this in the following steps. Add the redirect URI depending on your tenant location: https://app.uk.strongdm.com/auth/return.
In Configure Application Credentials, select the checkbox for Generate a shared secret and save the secret for later.
In Configure Web API, add the client identifier you saved from the previous step.
In Configure application permissions, select the checkboxes for the following scope names:
1. allatclaims
2. aza
3. email
4. openid
5. profiile
In Summary, review the settings and click Next.
From the Add Transform Claim Rule Wizard's Configure Claim Rule screen, enable login by email instead of UPN. By default StrongDM will match your login email address to the UPN returned by ADFS. If you would prefer to use email, edit the Web API and add the following transformation rule as shown.
Next, enable ADFS in the StrongDM Admin UI in Settings > User Management. Click the lock to make changes, and then select Active Directory from the provider drop-down menu. Add your client details as shown and click activate.

Within Application Groups, add a new application group. From the Application Group Wizard's Welcome screen, select the client-server application template Server application accessing a web API. Provide a name and click Next.
In Server application, you'll be configuring the server application redirect URI. Save the client identifier; you will need this in the following steps. Add the redirect URI depending on your tenant location: https://app.eu.strongdm.com/auth/return.
In Configure Application Credentials, select the checkbox for Generate a shared secret and save the secret for later.
In Configure Web API, add the client identifier you saved from the previous step.
In Configure application permissions, select the checkboxes for the following scope names:
1. allatclaims
2. aza
3. email
4. openid
5. profiile
In Summary, review the settings and click Next.
From the Add Transform Claim Rule Wizard's Configure Claim Rule screen, enable login by email instead of UPN. By default StrongDM will match your login email address to the UPN returned by ADFS. If you would prefer to use email, edit the Web API and add the following transformation rule as shown.
Next, enable ADFS in the StrongDM Admin UI in Settings > User Management. Click the lock to make changes, and then select Active Directory from the provider drop-down menu. Add your client details as shown and click activate.

Last updated 42 minutes ago

Was this helpful?