ADFS

Brienne Wong
Brienne Wong
  • Updated

This feature is available on all Professional and Enterprise plans.

Set up

Configure a manual RPT with the following attributes (xxxxxxxxxxxxxxxxxx will be provided to you by the zeroheight support team)

Display name: zeroheight

RP trust identifier: zeroheight:xxxxxxxxxxxxxxxxxx

Secure hash algorithm: SHA-1

If enabled, please provide the signing certificate: not currently enabled

If enabled, please provide the encryption certificate: not currently enabled

If WS-Fed is used, please provide the WS_Federation: not enabled  

If SAML is used, please provide the logon and optionally the logout endpoints with binding type:

login = https://zeroheight.com/sso/acs/xxxxxxxxxxxxxxxxxx

You'll need to set your ADFS to request a specific name ID format

 

Claims

1) In the Edit Claim Rules window, click on the Add Rule button under the Issuance Transform Rules tab.

2) The Add Transform Claim Rule Wizard window opens where you need to select Send LDAP Attributes as Claims as the Claim rule template, and click Next.

3) Enter a name for your Claim Rule, for example, “email,” then set Attribute store to Active Directory.

4) Now we need to enter LDAP attributes. We will enter the LDAP attribute E-Mail-Addresses twice and set their outgoing types to E-Mail Address and email. Similarly, we will enter the LDAP attribute Given-Name twice and set their outgoing types to Given Name and FirstName.

5) Click OK when you are done adding the required LDAP attributes.

6) You need to add another Claim Rule. So, click on Add Rule on the Issuance Transform Rules tab, select Transform an Incoming Claim, and click on Next.

7) Enter a Claim rule name, for example, Incoming-claim, set Incoming claim type to E-Mail Address, set Outgoing claim type to Name ID, and set Outgoing name ID format to Email.

8) Select Pass through all claim values and click Finish.

9) In the Edit Claim Rules window, click OK.

 

What we need from you

You will need to provide us with either:

  • Identity Provider Single Sign-On URL, X.509 Certificate, and target_logout URL

OR

  • Identity Provider Metadata XML

 

 

Was this article helpful?