ADFS SAML Setup

ADFS or Active Directory Federate Services is the SAML provider that comes with Microsoft Active Directory. The following guide is to help the deployment of an ADFS SAML configuration as the authentication provider for Pyramid.

Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.

Setup in ADFS

Step 1

Connect to your local ADFS.

Step 2

Open ADFS Management:

1. Go to Relying Party Trusts > click Add Relying Party Trust > add your Pyramid URL. For details on creating a relying party trust, click here.

   

2. Select the Pyramid URL from the list of Relying Party Trusts > go to the Identifier tab > add the Pyramid URL as the 'Display name' and 'Relying party identifiers'.
   
3. Go to the Endpoints tab > add SAML > set binding as POST and set Trusted URL as https://www.pyramidanalytics.com/login/callback
   
4. Right click on the Pyramid URL and select Edit Claim Rules > set a rule to match a value to the subject token; this value should be the principal name.

Step 3

Export the 'ADFS Signing' certificate to a file. The contents of the file will must be pasted into the Pyramid ADFS SAML configuration settings later on.

Step 4

An additional setting in IIS must be configured. Change your web.config file to the following:

<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="2147483648" /> </requestFiltering> </security> <rewrite> <rules> <rule name="ReverseProxyInboundRule1" stopProcessing="true"> <match url="(.*)" /> <action type="Rewrite" url="http://localhost:8181/{R:1}" /> </rule> </rules> <outboundRules> <rule name="302" preCondition="302"> <match serverVariable="RESPONSE_Location" pattern="(.*)#redirect=(.*)" /> <action type="Rewrite" value="{R:2}" /> </rule> <preConditions> <preCondition name="302"> <add input="{RESPONSE_STATUS}" pattern="3[0-9][0-9]" /> </preCondition> </preConditions> </outboundRules> </rewrite> <defaultDocument> <files> <clear /> <add value="readme.html" /> </files> </defaultDocument> </system.webServer> </configuration>

Step 5

Open the Signature file that you exported at Step 3 and copy it.

Setup in Pyramid

Step 6

Open Pyramid and go to the Admin console. From the main menu, click Security > Authentication. From the Provider drop-down, select SAML. Configure the following:

SAML Settings

These settings are identical to those needed for any SAML provider - as explained here.

Be sure to copy and paste the (Base64) certificate, which was exported during Step 3 above, into the 'Certificate (Base64)' field.

Initial User

1. Principal Name: Click the Test button; a request is sent to the ADFS URL. Login to Pyramid ADFS; you will see a page with the message "System isn't configured to SAML".
2. Copy the domain name from the subject field and paste it under Principal Name in Pyramid.
   
3. Enter the initial user details as explained here like standard SAML.

Step 7

Click Apply. select Disable from the Delete/ Disable Users dialog and click OK > the browser will ask you if you want to leave the site; select Leave. You will be directed to your ADFS login page.

Step 8

Login with your ADFS organizational account after which you will be directed to the Pyramid application.