This document should help you get SAML integration setup within your AD FS setup.
First off you will need the SSO Metadata XML from DIGIDECK. This can be retrieved in your Organization Integrations tab:
The URL should be similar to:
https://webapi.platform.sportsdigita.com/api/v1/authentication/saml/{{org-subdomain}}/metadata
The text in bold is what should be different for your organization.
Once you have this we are going to add a new Relying Trust to AD FS.
AD FS Setup
1. Click on Server Manager
2. Next click on Tools → AD FS Management
We are now going to add Sportsdigita as a Service Provider.
1. Click Add "Relying Party Trust"
To illustrate the steps for the wizard, I will have what is in the left pane match the options you may want to change. Please note assumptions were made to make this document easy, your specific company settings vary and may well differ and it is assumed you know what you are doing if you deviate from this howto.
2. Welcome: Click Start to begin the wizard
3. Select Data Source: The default Import data radial should be the default. Please paste your unique URL provided by Sportsdigita into the Federation metadata address field. Click Next.
4. Specify Display name: Change/don't change this according to your company policy/procedures. Click Next.
5. Configure Multi-factor Authentication Now: Depending on your company policy this might be enabled or not. For this document, we are going to proceed without multi-factor support. Click Next.
6. Choose Issuance Authorization Rules: We are going to select "Deny all users access to this relying party" as we will configure an AD group access later on. Please choose what you feel is best for your organizational setup. Click Next.
7. Ready to Add Trust: We accept the defaults on this page. Click Next.
8. Finish: Ensure "Open the Edit Claim Rules" is checked. Click Close.
We are not going to add the necessary claims for everything to work. As mentioned in step 6 we are only going to allow users who are part of a particular group to be able to use this Trust. Please go and create a new AD group specific to this otherwise we could use Domain Users.
Click on the middle tab Issuance Authorization Rules then Add Rules.
Next we are going to choose the options (default) Permit or Deny Users Based on an Incoming Claim and click Next.
Here we are going to create the rule.
a. Give your rule a meaningful name
b. For the Incoming claim type, use the drop-down and choose Group SID
c. For the incoming claim value, click Browse and enter the group you want to have access to the Trust.
d. Ensure the radial button for Permit access is selected.
e. Click Finish
Next, click the right-most tab labeled "issuance Transform Rules" and click "Add Rule..."
We are going to add two rules, one defining the incoming claim from Sportsdigita and the other what we need to be sent back to us. First the incoming claim from Sportsdigita. Choose "Transform an Incoming Claim" from the drop-down and click Next.
Here we are going to define some rules.
a. Give the claim a name
b. Incoming claim type choose "UPN" from the drop-down.
c. Outgoing claim type choose "Name ID" from the drop-down.
d. Outgoing name ID format please enter in: Email
e. Click Finish.
Lastly, we need to add a rule on what attributes to send back to Sportsdigita. Click Add Rule...
We are going to choose the default "Send LDAP Attributes as Claims" and click Next.
Now to create the rules:
a. Give your rule a name
b. Attribute Store and choose "Active Directory" from the drop-down.
c. For the Grid, the left-hand column uses the drop-down to get the values shown
d. For the right-hand side of the grid please enter in the values as shown in the graphic
e. Double-check the right-hand side to ensure it is exactly as the graphic
f. Click OK.
We are now finished so click OK to save the changes for this Trust.
One caveat, the claims are assuming the following are filled out for your Domain Users in Active Directory Users and Computers to correctly pass email address and telephone number to our system.
