Integrating YuJa Active Learning with ADFS (SAML)

Similar documents
Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Integrating YuJa Active Learning into ADFS via SAML

Google SAML Integration

Integrating YuJa Active Learning into Google Apps via SAML

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Integrating YuJa Enterprise Video Platform with LDAP / Active Directory

Configuring Alfresco Cloud with ADFS 3.0

Configuration Guide - Single-Sign On for OneDesk

Configuring the vrealize Automation Plug-in for ServiceNow

Qualys SAML & Microsoft Active Directory Federation Services Integration

Microsoft ADFS Configuration

NETOP PORTAL ADFS & AZURE AD INTEGRATION

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Five9 Plus Adapter for Agent Desktop Toolkit

Cloud Access Manager Configuration Guide

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2)

D9.2.2 AD FS via SAML2

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

Cloud Secure Integration with ADFS. Deployment Guide

Quick Connection Guide

October 14, SAML 2 Quick Start Guide

Integration of the platform. Technical specifications

VIEVU Solution AD Sync and ADFS Guide

RSA SecurID Access SAML Configuration for StatusPage

Colligo Console. Administrator Guide

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Five9 Plus Adapter for NetSuite

RSA SecurID Access SAML Configuration for Kanban Tool

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Quick Start Guide for SAML SSO Access

Zendesk Connector. Version 2.0. User Guide

Configure the Identity Provider for Cisco Identity Service to enable SSO

Five9 Plus Adapter for Microsoft Dynamics CRM

ADFS Setup (SAML Authentication)

Quick Start Guide for SAML SSO Access

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Integration Guide. BlackBerry Workspaces. Version 1.0

Add OKTA as an Identity Provider in EAA

TECHNICAL GUIDE SSO SAML Azure AD

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

AD FS CONFIGURATION GUIDE

Configuring ADFS for Academic Works

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

SAML-Based SSO Solution

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Trusted Login Connector (Hosted SSO)

All about SAML End-to-end Tableau and OKTA integration

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Morningstar ByAllAccounts SAML Connectivity Guide

Setting Up the Server

Configuring SAML-based Single Sign-on for Informatica Web Applications

Oracle Access Manager Configuration Guide

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

ADFS Authentication and Configuration January 2017

Five9 Plus Adapter for Oracle Service Cloud

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

RSA SecurID Access SAML Configuration for Samanage

TACACs+, RADIUS, LDAP, RSA, and SAML

TUT Integrating Access Manager into a Microsoft Environment November 2014

OneLogin Integration User Guide

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Configuring ADFS 2.1 or 3.0 in Windows Server 2012 or 2012 R2 for Nosco Web SSO

Unity Connection Version 10.5 SAML SSO Configuration Example

Okta Integration Guide for Web Access Management with F5 BIG-IP

SETTING UP ADFS A MANUAL

SAML-Based SSO Configuration

SAML-Based SSO Solution

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

ArcGIS Enterprise Administration

UMANTIS CLOUD SSO (ADFS) CONFIGURATION GUIDE

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Single Sign-On with Sage People and Microsoft Active Directory Federation Services 2.0

Single Sign-On Technical Reference Guide Version 1.3

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

SAML-Based SSO Configuration

Single Sign-On (SSO)Technical Specification

Dropbox Connector. Version 2.0. User Guide

CA SiteMinder Federation

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Security Provider Integration SAML Single Sign-On

Google SAML Integration with ETV

McAfee Cloud Identity Manager

Transcription:

Integrating YuJa Active Learning with ADFS (SAML)

1. Overview This document is intended to guide users on how to setup a secure connection between the YuJa Active Learning Platform referred to as the Service Provider, or SP - and ADFS referred to as the Identity Provider, or IDP - using the SAML 2.0 protocol. Once properly configured, the SP and IDP will communicate using SAML 2.0 requests/responses in order to authenticate and login users. 2. Setup Setup involves configuration of both the IDP and the SP. 2.1 ADFS (IDP) Configuration Configuration of the IDP involves: A) Creating a Relying Party Trust (RPT) with YuJa; B) Adding Claim Rules to the RPT so that SAML responses contain the correct information about the user, and C) Adjusting the hash algorithm of the RPT. Ensure that all 3 parts are completed so that configuration is done properly. NOTE: For some steps, <institution> is to be replaced by the wildcard DNS of the institution associated with YuJa. As an example, for https://hudson.yuja.com, <institution> would be replaced by hudson. A) To Create a Relying Party Trust: 1. On the ADFS server, open the application ADFS Management 2. In the left panel, under Trust Relationships, click on Relying Party Trusts. 3. In the Actions tab, click on Add Relying Party Trust. 4. In the Add Relying Party Trust Wizard window, click Start 5. If you have the YuJa SP metadata, enter it using the appropriate option (either the address or file), and press Next. Follow the steps below, then skip Step 6. If not, proceed to step 6. a. Enter a display name for the RPT (e.g. YuJa ). Click Next. b. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time. Click Next. c. Select Permit all users to access this relying party. Click Next. d. Review the settings to make sure everything is correct, then click Next. e. Make sure to have Open the Edit Claim Rules dialog for this relying party trust when the wizard closes selected, then click Close. Proceed to Step 2 of part B). 6. Select Enter data about the relying party manually, press Next and follow the steps below: a. Enter a display name for the RPT (e.g. YuJa ). Click Next. b. Select ADFS Profile and click Next. c. On the Configure Certificate step, click Next. Do not encrypt claims sent to YuJa. d. Select Enable support for the SAML 2.0 WebSSO protocol. For the Relying party SAML 2.0 SSO service URL enter: https://<institution>.yuja.com/d/samlreceiveresponse, without the quotations. Click Next.

e. For the Relying party trust identifier, enter: https://<institution>.yuja.com, without the quotations. Click Add, then click Next. f. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time. Click Next. g. Select Permit all users to access this relying party. Click Next. h. Review the settings to make sure everything is correct, then click Next. i. Make sure to have Open the Edit Claim Rules dialog for this relying party trust when the wizard closes selected, then click Close. j. Proceed to Step 2 of part B. B) To Add Claim Rules: 1. To create/edit claim rules, first click on the RPT. On the right panel, click Edit Claim Rules. 2. In the Edit Claim Rules window, click Add Rule... 3. Select Send LDAP Attributes as Claims and click Next. 4. Enter a Claim rule name. 5. Select Active Directory as the Attribute Store. 6. Create four claim mappings: LDAP Attribute E-Mail-Addresses Given-Name Surname <An attribute relating to the role of a user> Outgoing Claim Type E-Mail Address Given Name Surname Role NOTE: The Role Claim is used to determine if users are provisioned as students (the default) or are given enhanced privileges (Instructor/IT Manager). The suggested values for this field are IT Manager and Instructor (for users you wish to have IT Manager/Instructor privileges respectively), but you can use existing/custom values (see 2.2 #6 below for a discussion of IT Manager and Instructor mapping) 7. Click Finish. 8. Now, create a second claim rule. Click Add Rule. 9. Select Transform an Incoming Claim. Click Next. 10. Enter a Claim rule name. a. For Incoming claim type, select E-Mail Address. b. Note: This is assuming that each user in the ADFS system has an e-mail address associated with them. If this is not the case, select Given Name instead. 11. For Outgoing claim type, select Name ID. 12. For Outgoing name ID format, select Email. 13. Click Finish. 14. Click OK in the Edit Claim Rules window.

C) To Adjust the Hash Algorithm: 1. Double-click on your RPT. 2. Go to the Advanced tab. 3. In the dropdown, select SHA-1. 4. Click OK. 2.2 YuJa Platform (SP) Side SAML Configuration Configuration of the SP involves integrating the ADFS server as an IDP, with YuJa as an SP. The only resource needed to help configure YuJa is the IDP metadata of the ADFS server. This can be downloaded by navigating to: https://<adfs domain>/federationmetadata/2007-06/federationmetadata.xml The.xml metadata file contains all the necessary information for configuration on the YuJa side. Once downloaded, follow the steps below on how to extract the parameters from the metadata to integrate ADFS with YuJa. 1. Navigate to your institution s YuJa domain (i.e. https://<institution>.yuja.com). 2. Login as an IT Manager. 3. In the Main Menu located in the top right corner, go to the Institution Management tab. 4. In the left sidebar, go to Integrations. 5. Under Select an API to configure, select SSO - ADFS (SAML).

6. Enter the following information: Attribute Required? Description ADFS SSO URL Yes - The URL used for SSO. This is where YuJa will send AuthnRequest tokens. - Found in the IDP metadata under: <IDPSSODescriptor> <SingleSignOnService> as the Location attribute. Note that for YuJa, an HTTP-Redirect binding is used. - For example: https://<adfs domain>/adfs/ls/ Name ID Format Yes - The format to be used by the SP and IDP when communicating about a subject. - Found in the IDP metadata under: <IDPSSODescriptor> <NameIDFormat> as the value of that tag. Note that, if available, emailaddress should be prioritized and used. - For example: urn:oasis:names:tc:saml:1.1:nameid-format:emailaddress

Remote Logout URL Currently not supported - Leave this value blank. ADFS Signing Certificate Fingerprint No, but strongly recommended - The unique fingerprint of the IDP s certificate used when signing SAML responses. - The thumbprint is not explicitly located in the metadata, but the certificate used to sign either the SAMLResponse or the Assertion is - See How to derive the fingerprint of a certificate in the Additional Tools section of this document for more details. - For example: 7j2mka9cfe2d09j23eefe01442f6a49d1222391f Given Name Attribute No - The name of the attribute in the SAML response describing the user's given name (ie first name). - Found in the IDP metadata. There is a section in the.xml file which should contain a list of <Attribute> tags. Enter the value for the Name key, under the appropriate <Attribute> for given name. - The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Family Name Attribute No - The name of the attribute in the SAML response describing the user's family name (ie last name, surname). - Found in the IDP metadata. There is a section in the.xml file which should contain a list of <Attribute> tags. Enter the value for the Name key, under the appropriate <Attribute> for family name. - The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Email Attribute No - The name of the attribute in the SAML response describing the user's email address. - Found in the IDP metadata. There is a section in the.xml file which should contain a list of <Attribute> tags. Enter the value for the Name key, under the appropriate <Attribute> for email address. - The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Role Attribute No - The name of the attribute in the SAML response describing the user's role. - Found in the IDP metadata. There is a section in the.xml file which should contain a list of <Attribute> tags. Enter the value for the Name key, under the appropriate <Attribute> for role. - The value should be: http://schemas.microsoft.com/ws/2008/06/identity/claims/role IT Manager No -A comma separated list of values can be used -If the value received in the Role Attribute matches any of these values, the user will be provisioned as an IT manager. -For example: IT Manager Instructor No -A comma separated list of values can be used -If the value received in the Role Attribute matches any of these values, the user will be provisioned as an instructor. -For example: Instructor or Instructor,Teacher,TA Automatically sync data on user login No - If checked, whenever a user logs in via ADFS their basic information will be updated based on the data received in the SAML response token. 7. Click Create.

8. Click OK in the confirmation dialog popup. 9. If required, you can update the configuration settings if you made a mistake. Simply click Save to keep the changes. 10. To test if the configuration is correct, click Test SAML Login. This should open a new tab and navigate to your ADFS server, prompting a login. 11. Enter valid login credentials and Login. 12. You should be redirected back to YuJa, signed in as a new user. NOTE: logging in as a new user may log the original account out. Log out of the newly created account and log back in as an IT Manager. Then navigate back to Institution Management Integrations SSO ADFS (SAML). 13. Once you have verified that the SAML SSO works, you can choose to activate the new authentication scheme for your institution. To do so, click Activate, then click OK in the confirmation dialog. IMPORTANT: Only activate the new authentication scheme after successfully performing a test login and are ready to make it available for all users in your institution. 2.3 Dual Integration with LTI Overview If your institution has enabled both LMS Integration via LTI and also SSO access, then you have the choice to link the two integrations. We generally recommend this because it mean that irrespective of whether your users login via their LMS or their SSO, they will be presented with the same YuJa account information. In contrast, if Dual Integration with LTI is not setup, a user who uses both their LMS and SSO with YuJa will be provisioned with two separate accounts which in many cases isn t ideal. How It Works If your LTI provider within your LMS can be configured to provide YuJa with a unique identifier for the user in the ADFS system, it is possible to link the two accounts. 1. Configure your LMS to pass a custom LTI parameter to the YuJa tool called lis_person_sourcedid which contains the cross-matching SSO value. This can be an email, employee ID, or other field. You may need to consult your LMS platform s product documentation on how to set custom LTI parameters. YuJa will make use of this feature to link the two login methods to the same account. 2. Obtain the specific attribute name used in the SAML Response token whose value corresponds to the unique identifier used by the LTI provider (in Step 1 above). a. For example, if the unique identifier is the user's email address, then the linkage attribute might be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

b. A complete list of the possible attribute names can be found in the ADFS metadata file, in the Attribute tags. 4. Enter this value into the Linkage Attribute field. Note: This textbox will only appear if your institution has enabled LTI access. 5. Click Save. 6. Now, when logging in for the first time via ADFS (SAML), the YuJa system will search for a link with an LTI account using the value of the linkage attribute. If found, the SAML account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. All logins past the first one will continue to link to the YuJa account created or found on the first login. 3. Usage Once both sides have been configured and the SAML SSO has been activated, it is easy to test and see if everything was done properly. 1. Go to the institution s YuJa domain (i.e. https://<institution>.yuja.com) and press Login. This should redirect the user to the ADFS server s login page. 2. Enter valid credentials and sign in. 3. Once authenticated, the user should be redirected back to YuJa and the login was a success. 4. Additional Tools 4.1 How to Derive the Fingerprint of a Certificate The fingerprint of the IDP s certificate is used for additional security purposes when the SP is verifying a SAML response from the IDP. To derive the certificate s fingerprint, follow the instructions below: 1. In the ADFS IDP metadata, extract the X509 certificate. This should be located under: <IDPSSODescriptor> <KeyDescriptor use= signing > <KeyInfo> <X509Data> <X509Certificate> 2. Once you have the certificate, go to the following website: https://www.samltool.com/fingerprint.php 3. Paste the certificate in the X509 cert textbox. 4. Make sure sha1 is selected as the Algorithm. 5. Click Calculate Fingerprint.

6. Copy the FingerPrint value generated. This is the value used in the database. Note: The fingerprint should be an array of 20 bytes for sha1. 4.2 Useful Chrome Plugin for Debugging SAML Tokens If you are using Chrome as your web browser, you may want to install a useful SAML plugin at: https://chrome.google.com/webstore/detail/saml-chromepanel/paijfdbeoenhembfhkhllainmocckace?hl=en Once installed, simply open the developer tools in the browser (F12) and click on the SAML tab. Now, when doing an SP-initiated login, the SAML tokens sent by the browser will be shown in detail. This tool can be very useful in debugging SAML requests and responses.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback