This document should help you get SAML integration setup within your AD FS setup.
First off you will need to the SSO Metadata XML from the Digideck. This can be retrieved in your Organization Integrations tab:
The URL should be similar to:
The text in bold is what should be different for your organization.
Once you have this we are going to add a new Relying Trust to AD FS.
AD FS Setup
1. Click on Server Manager
2. Next click on Tools → AD FS Management
We are now going to add Sportsdigita as a Service Provider.
1. Click Add Relying Party Trust
To illustrate the steps for the wizard, I will have what is in the left pane match the options you may want to change. Please note assumptions where made to make this document easy, your specific company setings vary may well differ and it is assumed you know what you are doing if you deviate from this howto.
2. Welcome: Click Start to begin the wizard
3. Select Data Source: The default Import data radial should be the default. Please paste your unique URL provided by Sportsdigita into the Federation metadata address field. Click Next.
4. Specify Display name: Change/don't change this according to your company policy/procedures. Click Next.
5. Configure Multi-factor Authentication Now: Depending on your company policy this might be enabled or not. For this document, we are going to proceed without multi-factor support. Click Next.
6. Choose Issuance Authorization Rules: We are going to select "Deny all users access to this relying party" as we will configure an AD group access later on. Please choose what you feel is best for your organizational setup. Click Next.
7. Ready to Add Trust: We accept the defaults on this page. Click Next.
8. Finish: Ensure "Open the Edit Claim Rules" is checked. Click Close.
We are not going to add the necessary claims for everything to work.
Like we said in step 6 we are only going to allow user who are part of a particular group to be able to use this Trust. Please go and create a new AD group specific for this otherwise we could use Domain Users.
We are going to click on the middle tab Issuance Authorization Rules then Add Rules.
Next we are going to choose the options (default) Permit or Deny Users Based on an Incoming Claim and click Next.
Here we are going to create the rule.
a. Give your rule a meaningful name
b. For the Incoming claim type, use the drop down and choose Group SID
c. For the incoming claim value, click Browse and enter the group you want to have access to the Trust.
d. Ensure the radial button for Permit access is selected.
e. Click Finish
Next we are going to click the right most tab labeled "issuance Transform Rules" and click "Add Rule..."
We are going to add two rule, one defining the incoming claim from Sportsdigita and the other what we need sent back to us. First the incoming claim from Sportsdigita. Choose "Transform an Incoming Claim" form the drop down and click Next.
Here we are going to define some rules.
a. Give the claim a name
b. Incoming claim type choose "UPN" form drop down.
c. Outgoing claim type choose "Name ID" form the drop down.
d. Outgoing name ID format please enter in: Email
e. Click Finish.
Lastly we need to add a rule on what attributes to send back to Sportsdigita. Click Add Rule...
We are going to choose the default "Send LDAP Attributes as Claims" and click Next.
Now to create the rules:
a. Give your rule a name
b. Attribute Store choose "Active Directory" from drop down.
c. For the Grid, the left hand column use the drop down to get the values shown
d. For the right hand side of the grid please enter in the values as shown in the graphic
e. Double check the right hand side to ensure it is exactly as the graphic
f. Click OK.
We are now finished so click OK to save the changes for this Trust.
One caveat, the claims are assuming the following are filled out for your Domain Users in Acitve Directory Users and Computers to correctly pass email address and telephone number to our system.