SSO - ADFS SAML
Security / SSO - ADFS SAML

The following recommended configuration settings should be utilized when configuring StatusDashboard to authenticate against Active Directory Federation Services (ADFS).  These settings were validated on Windows Server 2016 / Active Directory Federation Services but these settings should be valid for older versions of ADFS as well.

ADFS Settings

Create a Relying Party (RP) trust with the following settings:

  • Identifiers: Enter a relying party identifier that matches what is listed in the StatusDashboard administration portal under the Service Provider SAML configuration under Entity ID / Issuer
  • Endpoints: Enter the Assertion Consumer Service (ACS) endpoint listed in the Service Provider section of the StatusDashboard configuration with a POST binding.
  • Advanced: Enter the signature algorithm that matches the signature algorithm in the Service Provider section of the StatusDashboard configuration.
  • Signature: Add the StatusDashboard certificate listed in the Service Provider section of the StatusDashboard configuration.

Create two custom claim rules for your RP, paying attention to the following:

  • Rule 1 may differ depending on whether you are using the user UPN or Email address (only use one version or the other).  The UPN or Email Address must match the email address of the user within StatusDashboard.
  • When configuring rule 2, the correct value needs to be entered in the spnamequalifier property (highlighted in red below).  This value should match what is listed in the StatusDashboard administration portal under the Service Provider SAML configuration under Entity ID / Issuer.


Rule: 1 (Using UPN)

Name: Pre-NameID-Value

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("Pre-NameID-Value"), query = ";userPrincipalName;{0}", param = c.Value);


Rule: 1 (Using Email)

Name: Pre-NameID-Value

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("Pre-NameID-Value"), query = ";mail;{0}", param = c.Value);


Rule: 2

Name: Issue NameID

c:[Type == "Pre-NameID-Value"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "test.statusdashboard.com");


StatusDashboard Settings - Service Provider

In order to configure the StatusDashboard Service Provider settings, login to StatusDashboard and browse to Security => Single Sign-On => Options => SAML SSO (Admin|Dashboard).  Configuration settings for both the Dashboard and Admin SAML setup are listed below.

Configuration Setting

Dashboard

Admin

Notes

x509 Certificate

Select StatusDashboard or Comodo

Select StatusDashboard or Comodo

If your IdP implementation requires a trusted certificate, then choose the Comodo signed certificate (assuming your IdP trusts the Comodo CA certificate). If your IdP does not require a trusted certificate, then choose the StatusDashboard self signed certificate. The StatusDashboard self signed certificate is the preferred option because it has a long expiration time and will not be refreshed whereas the Comodo certificate could be refreshed periodically (requiring you to update your IdP configuration).

Sign AuthN Request

Enabled

Enabled

Sign Logout Request

Enabled

Enabled

Sign Logout Response

Enabled

Enabled

Sign Metadata

Enabled

Enabled


This option can be set either way and is not dependent on the ADFS configuration.

Signature Algorithm

rsa-sha1

rsa-sha1

Can be set to whatever the ADFS configuration requires

Digest Algorithm

sha1

sha1

Can be set to whatever the ADFS configuration requires

Encrypt Name ID

Disabled

Disabled


Include Authentication Context

Disabled

Disabled


StatusDashboard Settings - Identity Provider

In order to configure the StatusDashboard Identity Provider settings, login to StatusDashboard and browse to Security => Single Sign-On => Options => SAML SSO (Admin|Dashboard).  Configuration settings for both the Dashboard and Admin SAML setup are listed below.

Configuration Setting

Dashboard

Admin

Notes

Entity ID / Issuer

http://[adfs server hostname]>/adfs/services/trust

http://[adfs server hostname]>/adfs/services/trust

Insert your ADFS server hostname in the brackets.

Single Sign-On (SSO) Service URL

https://[adfs server hostname]/adfs/ls/

https://[adfs server hostname]/adfs/ls/

Insert your ADFS server hostname in the brackets.

Single Logout Service (SLO) URL


Not yet supported.

IdP Logout URL

https://[adfs server hostname]/adfs/ls/?wa=wsignout1.0

https://[adfs server hostname]/adfs/ls/?wa=wsignout1.0

When not using SLO, this URL will end the user's ADFS session when logging out of StatusDashboard.  Insert your ADFS server hostname in the brackets.

Logout Redirect URL

[Insert redirect URL]

[Insert redirect URL]

Enter a URL where you want your users to end up after logging out.

x509 Certificate

[x509 cert in PEM format]

[x509 cert in PEM format]

Enter your ADFS server's token signing certificate

Require Message Signature

Disabled

Disabled

Require Assertion Signature

Disabled

Disabled

Require NameID Encryption

Disabled

Disabled

Still have questions?  Contact our support team.  We're always happy to help with any questions you might have.