Surpass SSO - Adding the Relying Party (ADFS) v1.3.1

This article will focus on adding Surpass as a Relying Party to your Identity Provider. Detailed instructions on how this can be achieved in an ADFS Idp setup have been provided below:

Note - Strings in ADFS, including URLS, are case sensitive.

1. Open ADFS 2.0 Management and confirm that the /adfs/ls/ endpoint for SAML 2.0 exists. To view the endpoint's setup on your server, expand the Service folder and select Endpoints, these addresses will be listed in the main window.

2. To add a relying party expand the 'Trust Relationships' folder, right click the folder 'Relying Party Trusts' and add a relying party trust. Select the option to enter the relying party information manually on the 'Select Data Source' step of the wizard.

3. Specify Display Name - Select a name for the relying party, the display name does not have to match with any other configuration and is just used to identify this connection.

4. Choose Profile - Select the option 'AD FS 2.0 profile'.

5. Configure Certificate - Upload the Service provider certificate, Surpass site administrators can download this certificate from the site settings interface. This will specify the certificate as the token encrypting certificate. Ignore any warnings about the key length. The token encryption certificate is used to encrypt the SAML assertion. The service provider decrypts the SAML assertion using the associated private key.

6. Configure URL - Turn on "Enable support for the SAML 2.0 WebSSO protocol" and enter the URL to Surpass SAML login page i.e. https://[ClientName].surpass.com/Saml/SingleSignOnService

7. Configure Identifiers - Specify the relying party trust identifier. This identifier must match the issuer field in the authn request sent by the Service Provider. The spName attribute in the client specific config file is used as the issuer so this name and the relying party trust identifier must match.

Below is an extract from a client specific config file:

<singleSignOn>

<saml spName="Demo_SurpassEditions" />

<singleSignOn>


When setting up the Relying party trust identifier in ADFS management the value must be set to the 'Service Provider Name' which is available to administrators in the Site Settings section of Surpass.


Note - The below example uses the demo instance of Surpass, this would need to be changed to the relevant service provider name.

8. Choose Issuance Authorization Rules - Select 'Permit all users to access this relying party'

9. Ready to Add Trust - Review the configuration and complete the wizard. Most of these settings can be amended in the properties of the relying party.

10. The Service Provider should now be included in the list of Relying Party trusts.

11. Relying Party Properties - The authn request sent by the service provider is signed. To specify the certificate to use to verify the signature, open the relying party trusts properties and, under the Signature tab, add the service provider certificate. This is the same file that was added in step 5.

12. Relying Party Properties - Change secure hash algorithm to 'SHA-1' on the Advanced tab.

13. Relying Party Properties - Add SAML Logout Endpoint under Endpoints tab.

Endpoint type : SAML Logout
Binding: Redirect
URL : https://[ClientName].surpass.com/Saml/SingleLogOutService
Response URL: https://[ClientName].surpass.com/login

14. Edit Claim Rules - The relying party now requires the user to edit the claim rules and add the necessary attributes that are going to be used in the SAML request. Right Click the Relying Party and select 'Edit Claim Rules'

15. Edit Claim Rules - Within the edit claim rules window add a rule using the template 'Send LDAP Attributes as Claims'

16. Map the Active Directory “User-Principal-Name” to the outgoing claim type “Name ID”. Map additional Active Directory attributes to include in the SAML assertion as SAML attributes. The required attributes are listed below.

Attribute store: Active Directory

Mapping of LDAP attributes to outgoing claim types:

User-Principal-Name =>Name ID
User-Principal-Name =>Name
E-Mail-Addresses=>E-Mail Address
Given-Name=>Given Name
Surname=>Surname
Token-Groups – Unqualified Names=>CentreReferences
Title=>Role

Note – The Outgoing Claim Type “CentreReferences” will need to be manually typed by the user as it will not be an available option from the drop down list. This is case sensitive.

Next Article

Feedback and Knowledge Base