All Articles

How to set up Single Sign On with ADFS

Set up ADFS

For teams using Active Directory Federation Services (ADFS) as their Single Sign on Provider can get set-up within UpKeep by following the process outlined below.

Setting up Relying Party Trust

  1. Sign in to the server where ADFS is installed. If you need help deploying ADFS, check out this guide.
  2. Open the ADFS management console and select Trust Relationships, then Relying Party Trusts in the left console tree.
  3. Click Add Relying Party Trust from the Actions menu on the right.
  4. In the Select Data Source step, toggle the option Enter data about the relying party manual.​
  5. Next, specify the display name for your application in the Specify Display Name tab. We suggest calling it something like Company name – Upkeep. Add any optional notes you may need.
  6. In the Choose Profile tab, select ADFS Profile.
  7. On the Configure Certificate tab, leave the certificate settings at their defaults.
  8. Open a new Tab with URL: https://app.onupkeep.com/web/settings/auth
  9. Select Custom SAML 2.0 and click configure.
  10. In the Configure URL tab, select the box Enable Support for the SAML 2.0 WebSSO protocol and enter the SAML service endpoint. SAML service endpoint  is same as SSO POSTBACK URL which you will get from Upkeep Website.
    • ​​

9. In the Configure Identifiers tab, enter https://app.onupkeep.com and click Add.

1o. Select Permit all users to access this relying party, then click Next and review your settings.

11. Ensure you’ve toggled Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and select Close.

Setup Claim Rules

  1. Setup Send LDAP attributes as claims. The outgoing claim Email Address is recommended.​​​
  2. Create a rule to Transform an Incoming Claim. Open the required NameID claim rule, and change the outgoing name ID format to Persistent Identifier. Then, click OK to save.

​​

  • Click Apply.

Set up Upkeep

  1. Enter your SAML 2.0 Endpoint URL (SAML 2.0/W-Federation URL endpoint) (This is where your users will login). The default installation is /adfs/ls/​
  2. Enter your Identity Provider Issuer. Click on services and then click Edit Federation Services in right panel and copy Federation Service Identifier.​
  3. In the Public Certificate field, copy and paste your entire Base-64 encoded x.509 Certificate.

Services->Certificate->Click on Token signing->View certificate-> Click on the     Details tab -> Copy to file -> Make sure you select Base-64 encoded

  • Click Save.