d!nk SSO integration with ADFS


Active Directory Federation Services (ADFS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with SSO access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity.

See also: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-scenarios-for-developers

This article describes the d!nk Single Sign-On (SSO) for Active Directory Federation Services (ADFS) and SAML, which is supported in Windows Server 2012.

In Windows Server 2016 it's possible to configure OpenId Connect as described at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs. This is preferable to SAML 2.0.
How to configure OpenId Connect for d!nk integration is provided in this article.

1. Configuring Relying Party Trust

d!nk has to be added as a relying party trust.
That process is described at 
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trustd!nk will provide the SAML 2.0 SSO service URL.

The images below show some examples of configuration:

After setup, the Relying Party Trust should look similar to the image below in ADFS management:

2. Needed information for d!nk

Following information needs to be provided to d!nk:

  1. EntityId
  2. signOnUrl
  3. certificate

2.1. EntityId

The EntityId can be obtained by looking at the FederationMetadata.xml file.
That file is usually located at https://<yourhost.com>/FederationMetadata/2007-06/FederationMetadata.xml

You can get details about these in ADFS Management, under ADFS > Service > Endpoints.
An example:

2.2. SingOnURL

The SignOn URL is usually located at https://<yourhost.com>/adfs/ls/idpinitiatedsignon, but can be customized. You will need to provide the correct SignOn URL to d!nk.

2.3. Certificate

You will need to provide the base64 encoded x.509 certificate (= public key) used to verify the signature of the tokens. If ADFS uses auto-rollover for keys, you will need to provide future certificates as well.

3. Required claims

d!nk will need at least the following user attributes from you:

  • First name - ClaimTypes.GivenName (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)
  • Last name - ClaimTypes.Surname (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)
  • Name Id - ClaimTypes.NameIdentifier (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier)
  • Email - ClaimTypes.Email (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)

Example of the rule to send the values to d!nk is below:


Powered by Zendesk