How to Setup SSO using ADFS

Single Sign-On (SSO) is a user authentication process that allows your users to sign in to multiple applications using the same set of login credentials. This allows ease of use for the end-users and ease of management for users. VIDIZMO offers the most flexible options for you to integrate with a wide range of single sign-on authentication providers, including:

1. Directory services such as Azure AD, Azure Directory Federation Service, etc.
2. Identity Access Management (IAM) services such as Okta, OneLogin, Ping, Centrify, ForgeRock,
3. Third-party login services such as Facebook, Google, Office 365, X, LinkedIn, etc.

With an app model integration for SSO, VIDIZMO makes the integration as easy as enabling/disabling your identity provider from within the platform administrator interface in minutes. Enterprises using ADFS as their identity provider can utilize SSO option with VIDIZMO, allowing users to sign in using the same set of credentials.

For more information about VIDIZMO SSO Apps, read Understanding Single Sign-On.

Prerequisites

• For configuring ADFS SSO with VIDIZMO, you must have an ADFS server's administrator account so that you can create an Application Group for authorization.
• If more SSO Apps have been configured and enabled on your Portal other than ADFS SSO, your users will see multiple buttons on the login page allowing them to choose any identity provider of their choice to log in to their VIDIZMO Portal.
• VIDIZMO requires your ADFS authorization server to expose a list of scopes to map attributes and provide user authentication. These scopes include:
  • Profile (The user's First Name and Last Name are exposed and mapped in your VIDIZMO account in this Scope)
  • Email (The user's Email Address is exposed and mapped in your VIDIZMO account in this Scope)
  • Openid (this is required to indicate that the applicant intends to use OIDC to verify the user's identity)
• Users of the Portal can configure and enable SSO options in VIDIZMO who belong to the group in which Management of SSO + SCIM (Excluding Social SSO) feature permission is enabled.
• If your portal is using HTTPS protocol, make sure your ADFS authentication server is also using HTTPS.

Configuration in ADFS

1. Create Application Group (This will help you configure settings for the VIDIZMO in ADFS).
   1. In ADFS Management, right-click on Application Groups and select Add Application Group.
   2. On the Add Application Group Wizard, for the name enter ADFSSSO (you can give it any name of your choice) and under Client-Server applications select the Web browser accessing a web application template.
   3. Select Next.

2. In Add Application Group Wizard:

   1. Copy the Client Identifier value. It will be used later as the value for ClientId in the VIDIZMO Configuration. (Client identifier field can be edited, so you can add self-defined client Identifier key)

   2. Enter the following for Redirect URI: - https://portaldomain.com/sso/signin-adfs. Select Add. Select Next.

   NOTE: Your portaldomain is your portal URL. For example, if your portal URL is lexcorp.com so the Redirect URL will be https://lexcorp.com/sso/signin-adfs.

3. From Choose an access control policy select the type of user group policy you want to configure. (e.g. select Permit everyone if you want to allow all your portal members to use ADFS) and select Next.

4. On the Summary screen review the details, select Next and then select Close.

5. In ADFS Management, select Application Groups and right-click on ADFSSSO (created in step 1) application and select properties. (This will help you configure/transform the Issuance Transform Rules, which are used by VIDIZMO to authenticate the login process using ADFS)

1. Select and edit the ADFSSSO - Web application.

2. Select Issuance transform Rules Tab and select Add Rule.

3. Add Transform Claim Rule Wizard will open.
4. At Choose Rule Type screen, select Send LDAP Attributes as Claims as the Claim Rule template from the drop-down list.
5. Select Next to proceed.

6. You will move on to Configure Claim Rule screen: (Here you can configure a rule to send the values of LDAP attributes as claims).
   1. Enter Claim rule name.
   2. Select Active Directory as the Attribute store from the dropdown list.
   3. Start Mapping LDAP attributes to Outgoing ClaimTypes.

The LDAP Attribute column shows the claims available from Active Directory and Outgoing Claim Type are claim types that will be sent to VIDIZMO.

LDAP ATTRIBUTE	OUTGOING CLAIM TYPE
E-Mail-Addresses	E-mail Address
Given-Name	Given Name
Surname	Surname
User-Principal-Name	Nameidentifier
Token-Groups - Unqualified Names	Group

Once all the LDAP Attributes to outgoing claim types are added, select Finish.

NOTE: Token-Groups - Unqualified Names is used to grant access to all the users of a group as well as the subgroup associated with that group.

7. Getting the Portal URL and Meta Address. (This Portal URL and Meta Address is a required field for configuring the ADFS SSO in VIDIZMO. You will have to use them in combination). Copy these two fields, you will have to use them in VIDIZMO portal settings.
   1. Go to ADFS Management.
   2. Select Edit Federation Service Properties.

3. Federation Service Properties screen will be opened.
4. Copy your Federation Service Name.

5. Get the Meta Address by going to Endpoints in ADFS Management.

Configuration in VIDIZMO

1. Open the navigation menu via the button on the top left.
2. Select the Admin dropdown.
3. Select Portal Settings.
4. Select Apps.
5. Select Single Sign-On.
6. Select the settings icon on the ADFS SSO app.
7. In the ADFS SSO - Settings dialog, configure the following:
   1. Enter the Client Identifier you copied in step 2 of ADFS Configuration.
   2. Enter the Meta Address. It is the combination of Federation Service Name (Portal URL) and Meta Address.
   3. Requires HTTPS Metadata: Select this checkbox to get metadata. When the request is handled for the first time, it tries to retrieve some metadata from the authorization server (also called authority or issuer). This metadata, or discovery document in OpenID Connect terminology, contains the public keys and other details needed to validate tokens.
   4. Force Login: Select the checkbox to enable forced login and it will take you directly to ADFS. When unchecked, it will not redirect automatically to the IdP and you will be required to sign in through your Portal's sign-in screen.
   5. Select Save Changes.
8. Enable the toggle on the ADFS SSO app to activate it on your portal.

Sign in using ADFS SSO

Sign out from your existing account and navigate back to the Login page to see an option to sign in using ADFS SSO.

Did you find this article helpful?

Sorry we couldn't be helpful. Help us improve this article with your feedback.

Your email*

Your feedback*

Need more information

Difficult to understand

Inaccurate/irrelevant content

Missing/broken link

Glad we could be helpful. Thanks for the feedback.

Your response has been recorded. Thank you for the feedback.