Configure Active Directory For Single Sign-On
Meridian Cloud supports single sign-on (SSO) logins through the Security Assertion Markup Language (SAML). A SAML identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (AD FS) server. AD FS is a service provided by Microsoft as a standard role for Windows Server. AD FS provides web application authentication using existing Active Directory credentials.
These are the requirements to configure AD FS to authenticate Meridian Cloud users:
-
An Active Directory where all users have an email address attribute and name attribute.
-
A SSL certificate to sign your AD FS login page.
-
A server running Microsoft Windows Server 2008 or higher and AD FS installed as described in Deploy and configure AD FS.
Configuring AD FS is a multi-step process. Following is an outline of each step in the process with references to the corresponding Microsoft documentation and where to enter information from each system in the other system.
Step 1 – Add a relying party trust
Complete the Add Relying Party Trust Wizard as described in Create a Relying Party Trust using the options in the following table.
Option | Description |
---|---|
Select Data Source |
Select Enter data about the relying party manually |
Specify Display Name |
Enter any name that identifies the trust with Meridian Cloud. |
Choose Profile |
Select AD FS profile |
Configure Certificate |
If you have an optional token expiration certificate, select it. Otherwise, accept the defaults. |
Configure URL |
Select Enable support for the SAML 2.0 Web SSO protocol and enter the URL from the Single Sign-On URL option described in Configure a Third-Party Identity Provider. |
Configure Identifiers | In Relying part trust identifier, enter the URL from the Audience option described in Configure a Third-Party Identity Provider. |
Choose Access Control Policy |
Select the appropriate policy for your environment. |
Configure claims issuance policy for this application | Enable this option and continue with step 2. |
Step 2 – Create a claim policy
Configure a claims issuance policy as described in Create a Rule to Send LDAP Attributes as Claims. Add the mappings listed in the following table.
LDAP Attribute | Outgoing Claim Type |
---|---|
User-Principal-Name | Name ID |
E-Mail-Addresses | E-Mail Address |
Display-Name | Name |
Step 3 – Specify the secure hash algorithm
To specify the secure hash algorith:
-
In AD FS Management, select the trust that you added in step 1 from the Relying Party Trusts list.
-
In the Actions menu, click Properties.
The Properties dialog box for the trust opens.
-
On the Advanced page, select SHA-256 from the Secure hash algorithm list.
-
Click OK.
Step 4 – Create a certificate file
To create a certificate file:
-
In AD FS Management:
-
Open the Service folder.
-
Select the Certificates folder.
-
View the Token-Signing certificate.
-
-
On the Details tab, click Copy to File.
The Certificate Export Wizard opens.
-
Click Next.
-
Select the No, do not export the private key option and then click Next.
-
Select DER encoded binary X.509 (.cer) and then click Next.
-
Select where you want to save the file, give it a name, and then click Next.
-
Click Finish.
Convert the file to PEM format using a tool like Certificate Manager.
Step 5 – Configure SAML authentication
Enter the following information as described in Configure a Third-Party Identity Provider.
Option | Description |
---|---|
Name |
The name of the authentication provider as you want it to appear to users. |
Single Sign-On URL |
Run the Get-AdfsEndpoint command in a PowerShell command window. Copy and paste the FullUrl value of the SAML 2.0/WS-Federation record. |
Issuer (Entity ID) |
In AD FS Management, in the Actions menu, click Edit Federation Service Properties, then copy and paste the URL shown for Federation Services identifier on the Federation Services Properties page. |
X.509 Certificate |
Click Upload and select the certificate file you create in step 4. |
SO Request Binding Type |
Delivery method of the SAML request. |
Troubleshooting
Following are some common authentication issues and possible solutions.
-
Users receive an error message that contains Application...is disabled.
-
Set the Active Directory option Enterprise Applications > User settings > Users can consent to apps accessing company data on their behalf to Yes.
-
Set the Active Directory option Enterprise Applications > M360 -Properties > Enable for users to sign-in to Yes.
-
When users are presented with a Permissions requested dialog, they must click Accept.
-
-
Users are presented with a Need admin approval dialog.
-
An Active Directory administrator must sign-in to Meridian Portal where they should be presented with a Permissions requested dialog. They must check Consent on behalf of your organization and click Accept.
-
-
Active Directory administrator wants to grant access to use Meridian Portal to specific users.
-
Set the Active Directory option Enterprise Applications > User settings > Users can consent to apps accessing company data on their behalf to No.
-
Set the Active Directory option Enterprise Applications > M360 - Properties > Enable for users to sign-in to Yes.
-
Set the Active Directory option Enterprise Applications > M360 - Properties > User assignment required? to Yes.
-
Assign roles to the users in Enterprise Applications > M360 - Users and groups.
-