This guide demonstrates the step-by-step process for creating a new application in Active Directory Federation Services (ADFS), capable of communicating via SAML 2.0 with Axur Platform services. In this guide, we will cover all the necessary configurations to ensure that Single Sign-On (SSO) works correctly and as expected.
Table of Contents:
Before you start
Ensure you have the necessary permissions to access the server where ADFS is installed and the Active Directory Users and Computers management console.
When performing the configurations, make sure that the data you are copying or typing in the indicated locations is correct. Incorrect data entry can cause problems later when we test our application.
Groups, users, and assignments
In all Axur Platform SSO application creation tutorials, there is the concept of users and groups. After all, the provider is where all your user information will be stored, in addition to the groups to which they belong (creating groups via the provider is optional). In this sense, this section is dedicated to teaching how to create groups and users in ADFS, as well as assigning users to groups.
Creating a group (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group (Optional), Assigning a group to a user (Optional), and Mapping user groups (Optional)
The following images demonstrate the creation of a group in Active Directory.
Repeat the process to add new groups. The names you define for these groups in Active Directory (e.g., “Axur Viewer”) are for your internal organization. Later, in the ADFS claims mapping, you will associate these groups with the specific values that the Axur Platform expects. Create names that are descriptive for you.
Suggested AD name | Group description |
Axur Viewer | Users in this group will have access to the Axur Platform, with the ability to view all ticket, result, and invoice information, but cannot perform any actions. |
Axur Analyst | Users in this group will have access to the Axur Platform and, in addition to viewing all information, can perform non-billable actions (all except Takedown requests). |
Axur Expert | Users in this group will have access to the Axur Platform and, in addition to performing non-billable actions, can also request Takedowns. |
Axur Manager | Users in this group will have access to the Axur Platform and can perform all actions (non-billable and billable) and also view activities performed by their users in the Axur Platform. |
Axur-Custom | Users in this group have a personalized set of capabilities. When they are created, the manager can decide what their capabilities will be. |
Creating a user
The following images demonstrate the creation of a user in Active Directory.
After creating the user, navigate to their properties and ensure that the email field is filled correctly, as it will be used in the claims mapping. Follow the images:
Assigning a group to a user (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group (Optional), Assigning a group to a user (Optional), and Mapping user groups (Optional)
To assign a group (created in Active Directory) to a user, follow the step-by-step instructions in the images:
When typing the group name, click the Check Names button to verify if the entered group exists in Active Directory. If it exists, its name will appear underlined, as in the example below:
Otherwise, a dialog window will indicate that the name was not found:
If the name is correct, simply click OK.
Creating a new application
With access to the ADFS management console, follow the step-by-step instructions in the images to create a new application (formally called a Relying Party Trust), which represents the Axur Platform application to ADFS.
Here is the Axur Platform metadata URL that you will need in one of the steps, to allow ADFS to automatically configure various information about the Service Provider:
Field | Value |
Federation Metadata address (Axur Platform) |
|
After clicking the button to finish creating the application, proceed to the next section. It is not necessary to check the option indicated in the last image, as we will do this later.
Sending Axur Platform data to ADFS
It is necessary for ADFS to know who it will be communicating with for the SSO process to work smoothly.
Since the Axur Platform data (such as SAML Endpoints and certificate) has already been consumed and configured by ADFS when we created the application in the Creating a new application section (by importing the Axur Platform metadata), this step has effectively already been completed. Proceed to the next one!
Mapping user attributes
By using ADFS as our provider, we are leveraging the credentials that are already stored and managed by ADFS, and these credentials are stored in the format defined by the provider. However, to communicate with the Axur Platform using SAML, it’s necessary that user data is sent in a standardized way. Think of it this way: We need to ensure that the Axur Platform always receives the user’s email attribute in the same format regardless of whether this data comes from ADFS or any other provider. Different providers store their data in different ways, and mappings solve this problem!
Follow the step-by-step instructions in the images to create the mappings:
On the rule creation screen, we will add the user attribute mappings. Follow the step-by-step instructions in the images to perform the configurations on your machine, and ensure that the values are identical to those required:
Mapping user groups (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group (Optional), Assigning a group to a user (Optional), and Mapping user groups (Optional)
Just like user attributes, we also have groups, which bring users together according to some specific criteria. These groups are created by the administrator in Active Directory, and as explained in the previous section, it is necessary to create a mapping so that this data is transmitted to the Axur Platform in a standardized way, regardless of the provider.
In this section, the focus is on taking each of the groups you created in the Creating a group (Optional) section, and telling ADFS how these group names should be mapped at the time of sending to the Axur Platform. Follow the images to create the group mappings in the ADFS configurations.
In this next image, you will have to search for the desired group. Just follow the logic we defined for group searching in the assigning groups to users section. When filling in the value for the Outgoing claim value field, make sure it follows the values in the table below:
Desired value | Group (What you should search for, indicated by the Browse button) |
| Axur Viewer |
| Axur Analyst |
| Axur Expert |
| Axur Manager |
| Axur Custom |
Add new rules for each of the Active Directory groups you created in the Creating a group (Optional) section, respecting the rules mentioned above.
Obtaining ADFS provider data
Since we are using ADFS as our identity provider, it is necessary to obtain some information that can tell the Axur Platform who it will be communicating with and whether its information is secure and reliable.
Follow the step-by-step instructions in the images to locate the metadata path in your ADFS:
Note that in the indicated section, we find the path to the metadata file (e.g., /FederationMetadata/2007-06/FederationMetadata.xml). To build the full URL, you need to know the hostname (domain) of your ADFS service. For example, if your ADFS service is accessible at:
https://adfs.yourcompany.com
The full metadata URL for your ADFS would be:
https://adfs.yourcompany.com/FederationMetadata/2007-06/FederationMetadata.xml
To build the full metadata URL, append the path to your ADFS hostname. Don’t forget to verify the URL! Click it to check that it actually leads you to the metadata information.
Save this URL, as we will use it in the Axur Platform configuration.
Assigning groups/users to the application
Since we enabled this application for all users in Active Directory (AD), nothing specific needs to be done. If you created groups, the mapping should already resolve it. In the case of direct assignments to the application, the configuration to permit all from the creating an application section should resolve it.
Some common errors
The Service Provider (SP) information (Axur Platform in this case). Verify the data from the corresponding section and ensure they are the same.
The Identity Provider (IdP) information (ADFS in this case). Verify that the link you copied here redirects to the metadata file correctly.
The application access information. Verify the assignments of groups or direct users.
Specific errors
Error | Description | How to Resolve |
Non Authorized IdP or expired IdP login | Unauthorized IdP or expired session | Check the Federation Metadata and the IdP. |
Missing value for string parameter [email claim] | Missing or empty email claim | Make sure the email attribute is correctly configured in the IdP. |
Redirection error | Incorrect endpoint URL in the IdP | Check whether the endpoints are correctly configured. |
Local entity is not the intended audience of the assertion in at least one AudienceRestriction | The assertion was not intended for the SP | Check if the entityId configured in the app is set to com:axur:sso. |
Authentication statement is too old to be used with value {date} | The authentication statement has expired | The IdP session duration exceeds 7 days. Contact support to adjust it. |
Validation of protocol message signature failed | The signature of the SAML message is invalid | Verify that the Federation Metadata was correctly provided. |
If you have any questions, feel free to reach out at [email protected] 😊