SSO With ADFS

This guide provides step-by-step instructions on how to configure single sign-on (SSO) with Active Directory Federated Services (ADFS). You already use ADFS to conveniently manage permissions to applications. After SSO configuration is complete, you’ll be able to use ADFS to manage permissions to your databases.

Prerequisites #

Your ADFS server will need a valid TLS certificate.

Steps #

1. Within Application Groups, add a new application group. From the Application Group Wizard’s Welcome screen, select the client-server application template Server application accessing a web API. Provide a name and click Next.

   

2. In Server application, you’ll be configuring the server application redirect URI. Save the client identifier; you will need this in the following steps. Add the following redirect URI: https://app.strongdm.com/auth/return.

   

3. In Configure Application Credentials, select the checkbox for Generate a shared secret and save the secret for later.

   

4. In Configure Web API, add the client identifier you saved from the previous step.

   

5. In Configure application permissions, select the checkboxes for the following scope names:

   1. allatclaims
   2. aza
   3. email
   4. openid
   5. profile

   

6. In Summary, review the settings and click Next.

   

7. From the Add Transform Claim Rule Wizard’s Configure Claim Rule screen, enable login by email instead of UPN. By default StrongDM will match your login email address to the UPN returned by ADFS. If you would prefer to use email, edit the Web API and add the following transformation rule as shown.

   

8. Next, enable ADFS in the StrongDM Admin UI in Settings > User Management. Click the lock to make changes, and then select Active Directory from the provider drop-down menu. Add your client details as shown and click activate.