Security Assertion Markup Language (SAML) authentication (ADFS 2.0)

SAML Authenticatie (ADFS 2.0)                                                                                                                                                        It is possible to set up authentication based on SAML (security assertion markup language).

This integration is available for both Business and Accountant environments. Please note that you can only use this authentication as an Accountant for your own environment. As an Accountant, you cannot make this integration available to your customers.

Below is a description of how to set this up. Besides the settings in Nmbrs, the "ADFS 2.0" will also have to be set. These settings are described later in this article.

Systematic operation of the authentication procedure

Basic configuration                                                                                                                                                                              There are excellent manuals available from Microsoft for performing the basic configuration that will help you set up the ADFS Identity Provider in no time.

Source Microsoft: http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28v=ws.10%29.aspx

Establish connection with NMBRS                                                                                                                                                This description only includes the “final steps” of the configuration process. It is assumed that the customer has already performed the basic configuration.

1) Configure domain identifier                                                                                                                                                      The first step in establishing a connection with NMBRS is to configure the relying party trust that specifies which domains should communicate with each other for the exchange of information.

a) Select “Relying Party Trust” and create a new entry

b) In the popup window select Identifiers

c) Enter a name of your choice under “Display name”

d) Under Relying Party Identifier enter your Nmbrs domain. E.g. https://companyname.nmbrs.nl and add        it.

e) Then click on “apply

 

2) Configure the “Endpoint”                                                                                                                                                        The “endpoint” describes the path to your Nmbrs environment. The end user is routed here after a successful authentication process.

a) Select the entry created in the previous step and select the tab “Endpoints”

b) Add an entry in the screen

c) Select as binding “POST”

d) Under URL add the return link to your Nmbrs environment. B.V. https://bedrijfsnaam.nmbrs.nl/applications/common/externalactions.aspx?login=samlresponse and click on “ok” and “apply”

 

3) Configure the security certificate                                                                                                                                             The security certificate is used to secure the connection between the Nmbrs application and your ADFS server. This certificate must be valid and registered with a “Certificate Authority”. Note: this certificate will be needed again at a later stage!

a) Select the entry created in the previous steps and select the tab “Signature”

b) Select “add” and add your certificate.

c) Then select the tab “Advanced” and select SHA1 as the Hash algorithm.

4) Configure claims                                                                                                                                                                             Under “claims” it determines which information is exchanged and how it is translated between both environments.

a) Select the entry created in the previous steps and select “Edit claim rules.

b) Select the tab “Isuance Transform Rule

c) Add a new entry here

d) Select Active Directoy as Attribute store

e) For Nmbrs the E-mail Address attribute for both LDAP and Outgoing Claim type is sufficient. PLEASE NOTE THAT THE EMAIL ADDRESS IN ACTIVE DIRECTORY MATCHES THE EMAIL ADDRESS USED IN NMBRS.

Save these changes.

5) Nmbrs Settings                                                                                                                                                                                         These settings must be made in the web application NMBRS

a) Go to "My Account", you can find it by clicking on your email at the top right and select “my account”.

Screenshot_1.png

b) Then go to "Security settings

mceclip2.png

c) Next, under the option "Password / login settings" you will see the option Login with SAML (1). Clicking on this will open the "SSO Settings" pop up (2). By checking the option "Login with SAML", two (extra) fields will appear. Enter the IDP SSO taget URL and enter the certificate. Then click on save.

d)Under “IDP SSO Target Url” enter the path to your ADFS server, for example: https://login.windows.net/xxxx-xxxx-xxx-xx-xxx-x-xx-x/saml2

mceclip3.png

e) Under “Certificate” enter the hash code of your certificate. If this is not available, it can be retrieved in the following way.

Select Windows button +R
type MMC and click enter
click File and select add/remove snap-ins
Select Certificates and add
Select Computer account and local computer
Select the Personal certificate store
Browse to the certificates and export the Token-Signing certificate.

a. Right-click the certificate and select View Certificate.
b. Select the Details tab.
c. Click Copy to File….
The Certificate Export Wizard launches.
d. Select Next.
e. Ensure No, do not export the private key is select, and then click Next.
f. Select DER encoded binary X.509 (.cer), and then click Next.
g. Select where you want to save the file and give it a name. Click Next.
h. Select Finish.

Service-now requires that this certificate be in PEM format. You can convert this certificate using client tools or even online tools such as: SSL Shopper.
Use the DER/Binary certificate we just created and export it to Standard PEM format.
Right Click the Certiicate and open this with a texteditor and copy the hash.

f) After the data has been entered and saved, the following is displayed.

6) Configuration for browsers and intranet                                                                                                                                a) If you offer a link to your users on e.g. your intranet or user cover then it should refer to the request url. E.g. https://bedrijfsnaam.nmbrs.nl/applications/common/externalactions.aspx?login=samlsso

b) Saml works great with Internet explorer as it no longer requires authentication after logging in to a PC which is linked to the Active Directory Domain. For this, however, both the urls of the intranet and your environment at NMBRS must be included in the trusted list under the Internet Explorer Options.

c) The other browsers may require a domain login before logging into your NMBRS application.

d) For working with Chrome, an extra step must be taken as this standard does not support windows authentication. See the link below for this.

IIS tweak to make Chrome work: https://exitcodezero.wordpress.com/2013/05/30/adfs-authentication-issues-with-chrome-and-firefox/

 

Kommentarer

Knowledge base