SSO login is available using Active Directory Federated Services (ADFS). Here are the steps required to enable SSO with ADFS as the Identity Provider:

  1. Install ADFS 2.0 (help can be found at http://www.microsoft.com/en-us/download/details.aspx?id=10909)
  2. In the ADFS management console:

– Click Server Configuration Wizard

– Create new FS

– Standalone FS

– Select SSL certificate (if there are no certificates you can create self signed cert using inetmgr -> server certificates -> create self signed cert)

  1. In the ADFS management console:

– Click on “Add relying party trust”

– Import data about the relying party from a file (choose DMSPMetadata.xml)

– Choose any name (dotcom-monitor.com), set up your issuance authorization rules (permit all users),  (close claim rules dialog if it appears)

  1. After creating relying party trust open it’s properties, go to the Advanced tab and set SHA-1 as secure hash algorithm
  2. Open “Edit claim rules” for new relying party and add the following rule:

Claim rule template: send LDAP attributes as claims; attribute store: Active Directory; add 2 attribute mappings here:

User-Principal-Name -> UPN, Token-Groups – Unqualified Names -> Role

Set any name for it

  1. Again open “Edit claim rules” and add new rule: Claim rule template: send claims using custom rule; copy/paste the following rule:

 

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn“] => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier“, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format“] = “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier“] = “http://WIN-1B6FSQNBIMN.DC.TEST/adfs/services/trust”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier“] = “https://userauth.dotcom-monitor.com/“);

 

Replace “http://WIN-1B6FSQNBIMN.DC.TEST/adfs/services/trust” with the proper Identity Provider (IdP) entityID (“http://idpsite.com/adfs/services/trust“)

Save this rule with a name of your choice.

http://

  1. Open URL in browser from IdP machine:

https://localhost/federationmetadata/2007-06/federationmetadata.xml

Save the XML content as a file and send it to support@dotcom-monitor.com, using the ticket system.

Now you can add dotcom-monitor web site users by creating new users in AD or adding existing users to one of the following groups: “Dotcom-Monitor_Power_Users”, “Dotcom-Monitor_Accounting_Users”, “Dotcom-Monitor_ReadOnly_Users”. Each of these groups must have “global” or “universal” scope and type “security”