ADFS SAML Setup

ADFS or Active Directory Federate Services is the SAML provider that comes with Microsoft Active Directory. The following guide is to help the deployment of an ADFS SAML configuration as the authentication provider for Pyramid.

Setup in ADFS

Step 1

Connect to your local ADFS.

Step 2

Open ADFS Management:

1. Go to Relying Party Trusts > click Add Relying Party Trust > add your Pyramid URL. For details on creating a relying party trust, click here.
2. Select the Pyramid URL from the list of Relying Party Trusts > go to the Identifier tab > add the Pyramid URL as the ‘Display name’ and ‘Relying party identifiers’.
   
3. Go to the Endpoints tab > add SAML > set binding as Redirect and set Trusted URL as https://www.pyramidanalytics.com/login/callback
   
4. Right click on the Pyramid URL and select Edit Claim Rules > set a rule to match a value to the subject token; this value should be the principalName.

Step 3

Go to the Signature tab and select the signature and click View; ensure that the signature URL matches the Relying Party Trusts URL. Go to Details and select Copy to File; from the Certificate Export Wizard select ‘Base-64 encoded’ as the Export File Format. Complete the Certificate Export Wizard.

Step 4

An additional setting in IIS must be configured. Change your web.config file to the following:

<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="2147483648" /> </requestFiltering> </security> <rewrite> <rules> <rule name="ReverseProxyInboundRule1" stopProcessing="true"> <match url="(.*)" /> <action type="Rewrite" url="http://localhost:8181/{R:1}" /> </rule> </rules> <outboundRules> <rule name="302" preCondition="302"> <match serverVariable="RESPONSE_Location" pattern="(.*)#redirect=(.*)" /> <action type="Rewrite" value="{R:2}" /> </rule> <preConditions> <preCondition name="302"> <add input="{RESPONSE_STATUS}" pattern="3[0-9][0-9]" /> </preCondition> </preConditions> </outboundRules> </rewrite> <defaultDocument> <files> <clear /> <add value="readme.html" /> </files> </defaultDocument> </system.webServer> </configuration>

Step 5

Open the Signature file that you exported at Step 3 and copy it.

Setup in Pyramid

Step 6

Go to your Pyramid environment > go to Admin > Access > Authentication > select SAML and configure the following:

SAML Settings

These settings are identical to those needed for any SAML provider - as explained here.

Initial User

1. Principal Name: click the Test button; a request is sent to the ADFS URL. Login to Pyramid ADFS; you will see a page with the message "System isn't configured to SAML".
2. Copy the domain name from the subject field and paste it under Principal Name in Pyramid.
   
3. Enter the initial user details as explained here like standard SAML.

Step 7

Click Apply > select Disable from the Delete/ Disable Users dialog and click OK > the browser will ask you if you want to leave the site; select Leave. You will be directed to your ADFS login page.

Step 8

Login with your ADFS organizational account after which you will be directed to the Pyramid application.