How to set up Single Sign On with ADFS

Verifying SSO using ADFS for Upkeep

ADFS Settings

This document is to help verify the ADFS settings and the corresponding UpKeep settings after the wizard has completed. Please see Setup SSO using ADFS for Upkeep for the initial setup process.

A. Relying Party Trust Settings

  1. Sign in to the server where ADFS is installed
  2. Open the ADFS management console and select Trust Relationships, then Relying Party Trusts in the left console tree.
  3. Right click on the UpKeep Relying Party Trust and choose Properties.​​

  4. Monitoring

    ​​Monitoring should be empty.

  5. Identifiers


    Relying party identifiers: http://app.onupkeep.com

  6. Encryption

    ​Should be empty

  7. Signature

    ​Should be empty.

  8. Accepted Claims

    ​Should be empty.

  9. Organization

    ​Should be empty

  10. Endpoints

    hi

    There should be 2 Endpoints here, one with Index 0 and one with Index 1.
    Select Endpoint with the Index 0 and click Edit.

    ​Binding: POST
    Set the trusted URL as default: Unchecked
    Index: 0
    Trusted URL: This URL will come from your UpKeep SAML Authentication settings page.

    Click OK to return the Endpoints listing. Select Endpoint with Index 1 and click Edit.

    The setting will be the same as the first Endpoint except for the Index and Trusted URL.
    Index: 1
    Trusted URL: https://api.onupkeep.com/auth/saml/acs/
    Click OK to return to the Endpoints listing.

  11. Proxy Endpoints

    ​Should be empty.

  12. Notes


    Should be empty

  13. Advanced

    ​Ensure SHA-256 is selected

  14. From the main ADFS console window under the Relying Party Trusts window, Right-Click on the UpKeep Relying Party Trust and select Edit Access Control Policy.​​

    ​​Ensure Permit everyone is selected.

    ​Click ok to return.

B. Transform Claim Rules Setup

Setting up a Transform Claim Rule is optional and won’t prevent the functionality of your SSO setup but it is recommended to facilitate the transfer of Active Directory attributes to UpKeep.

  1. From the main ADFS console window under the Relying Party Trusts window, Right-Click on the UpKeep Relying Party Trust and select Edit Claims Issuance Polic


  2. You see two Issuance Transform Rules such as below.

    ​Highlight the first rules and click Edit Rule

  3. E-Mail rule should match as below

    ​Claim Rule Name: E-mail

    Attribute Store: Active Directory
    LDAP Attribute: E-Mail-Addresses
    Outgoing Claim Type: E-Mail Address
    Click OK to return to the rules listing.

  4. Highlight the second rule.

    ​Click Edit Rule.

  5. NameID Rule

    ​Claim rule name: NameID

    Incoming claim type: E-mail Address or  UPN (if UPN is in email format)
    Outgoing claim type: Name ID
    Outgoing name ID format:Email
    Select Pass through all claim values
    Click OK to return.

C. UpKeep SAML Settings

  1. Sign in to your UpKeep administration page (https://app.onupkeep.com. Click Settings in the bottom left corner.

    Select Authentication. Select Custom SAML 2.0, Configure.


  2. You will see the following screen

    ​Let’s deal with each section individually.

  3. Unique Company Identifier

    Enter an identifier that is unique to your company. This is case-sensitive.
    Note: If you change this it will change your SSO Post Back URL (which is needed in Section A, Step 10)

  4. SSO Post Back URL (Assertion Consumer Service URL)

    ​This unique URL is used to connect to your on premise ADFS. This URL is needed in section A, Step 10 above.

  5. SAML 2.0 Endpoint and Identity Provider Issuer

    SAML 2.0 Endpoint is the amalgamation of your main ADFS URL (eg https://adfs.yourcompany.com) with the URL path of your SAML 2.0 Endpoint found in your ADFS management console. (The default should be /adfs/ls)

    Merging the main URL with the SAML 2.0 URL Path above would produce:
    https://adfs.yourcompany.com/adfs/ls/

    Identity Provider Issuer
    From the ADFS management console, highlight Service in the navigation tree, right-click on Service, click Edit Federation Service Properties.

    Enter the Federation Service identifier in the Identity Provider Issuer field.

  6. Public certificate

    ​This certificate is token signing certificate from the ADFS management console.

    Browse to AD FS -> Service -> Certificates. Highlight the Token-signing certificate. Right-click, View Certificate.

    Click the Details tab, Copy to File.


    Export the certificate as Base-64 encoded X.509 (.CER).

Paste the contents of this CER file (text file) into the public certificate field.