Cezanne HROther ArticlesSingle Sign-On SAML 2.0 SetupImplement Active Directory Single Sign-On

Implement Active Directory Single Sign-On

This article explains how to implement Single Sign-On (SSO) from Active Directory (AD), into Cezanne HR using Active Directory Federation Services (AD FS) and SAML 2.0.

Note:

Identity Provider Configuration
  1. Ensure AD FS is installed on your server.
  2. Open Server Manager and select Tools >> AD FS Management.
  3. Open the AD FS tree to Trust Relationships >> Relying Party Trusts.
  4. In the action pane, click Add Relying Party Trust.
  5. Click Start.
  6. Select Import data about the relying party published online or on a local network and click Next.
  7. Enter https://w3.cezanneondemand.com/CezanneOnDemand/-/{company-identifier}/Saml/metadata into the Federation metadata address field (where {company-identifier} should be replaced to match your company's Primary URL).
  8. Click Next.
  9. Enter a display name (e.g. “Cezanne”) in the Display Name field and click Next.
  10. If prompted, select I do not want to configure multi-factor authentication… at this time and click Next.
  11. Select Permit all users to access this relying party, click Next and Next again.
  12. Select Open the edit claim rules dialog… when the wizard closes and click Close.
  13. Continue to the Configuring AD FS Issuance Transformation Rules section below.

Ad Server (IdP) Configuration - Manual Option

  1. Backup your AD server.
  2. Install AD FS.
  3. Open Server Manager and select Tools >> AD FS Management.
  4. Open the AD FS tree to Trust Relationships >> Relying Party Trusts.
  5. In the action pane, click Add Relying Party Trust.
  6. Click Start.
  7. Select Enter data about a relying party manually and click Next.
  8. Enter a display name (e.g. “Cezanne”) and click Next.
  9. Select AD FS Profile and click Next.
  10. Click Next to skip the optional certificate configuration step.
  11. Select Enable support for SAML 2.0 WebSSO protocol.
  12. In the Relying Party SAML 2.0 SSO Service URL box, enter https://w3.cezanneondemand.com/CezanneOnDemand/-/{company-identifier}/Saml/samlp and click Next (where {company-identifier} should be replaced to match your company's Primary URL).
  13. Add https://w3.cezanneondemand.com/CezanneOnDemand/  to the relying party trust identifiers list and click Next.
  14. If prompted, select I do not want to configure multi-factor authentication… at this time and click Next.
  15. Select Permit all users to access this relying party, click Next and Next again.
  16. Select Open the edit claim rules dialog… when the wizard closes and click Close.
  17. Continue to the Configuring AD FS Issuance Transformation Rules section below.

Configuring AD FS Issuance Transformation Rules

  1. Add a new custom rule to the Issuance Transformation Rules tab.
  2. Click Add Rule.
  3. Use the Send LDAP Attributes as Claims rule template.
  4. Click Next.
  5. Enter a rule name (e.g. “NameID Rule”) in the Claim rule name field.
  6. Select the Active Directory attribute store.
  7. Add a new LDAP attribute mapping from LDAP Attribute ‘User-Principal-Name’ to Outgoing Claim Type ‘Name ID’
  8. Click Finish.

Note:

  • This configures AD FS to send the User Principal Name in the Subjects NameID field of all assertions. You can send other Active Directory fields in instead.
  • It is important that this value is unique for all users.
  • It is important that the Active Directory property you choose cannot be edited by users. If you choose a property that can be changed by users it is possible for them to impersonate another user in Cezanne.

Configuring Integrated Windows Authentication on ADFS 2.0

If you don’t want users that are already authenticated on you domain to have to enter their username and password when they access Cezanne, you need to ensure that Integrated Windows Authentication (IWA) is enabled for the adfs/ls web application in IIS.

  1. Open Internet Information Services (IIS) Manager.
  2. Navigate to Sites >> Default Web Site >> adfs >> ls.
  3. Double click on Authentication in the IIS section of the Features View.
  4. If Windows Authentication is disabled, right click on it and select Enable.
  5. If your company uses reverse proxies, virtual private networks or browsers other than Internet Explorer, you must also disable Extended Protection for Windows Authentication:
    1. Still in the Authentication view, right click on Windows Authentication and select Advanced Settings.
    2. Ensure that Extended Protection is set to Off.
    3. Click OK.
  6. Open the Windows Command Prompt as an administrator and run the following commands to restart IIS and AD FS:
    1. iisreset
    2. net stop "AD FS 2.0 Windows Service"
    3. net start "AD FS 2.0 Windows Service" 

Note:

  • You can find more information about Extended Protection for Windows Authentication and the implications for disabling it in Microsoft Security Advisory 973811 on TechNet.

Configuring Integrated Windows Authentication on ADFS 3.0

In ADFS 3.0 it is required to ensure that only windows authentication is enabled to prevent browsers prompting for credentials. To do this:

  1. Open up the ADFS Management Console on your ADFS server
  2. Select the “Authentication Policies ” and then “edit” in the Primary Authentication Global Settings.
Configuring Integrated Windows Authentication on ADFS 3.0
  1. Make sure that windows authentication is the only option checked and apply.
Cezanne (SP) Configuration
  1. Log in to Cezanne as an HR Professional user.
  2. Navigate to: System Setup >> Security Settings >> Single Sign-On Configuration.
  3. Check the SAML 2.0 check box.
  4. Click Save.
  5. Click Advanced Configuration.
2. Cezanne (SP) Configuration
  1. Click Add New.
  2. In the Display Name box, enter a display name for the identity provider. This name is used to identify the provider within Cezanne and does not have to match the entity ID, machine name or any other technical identifier.
  3. In the Entity Identifier box, enter https://adfs-server.example.com/adfs/services/trust where adfs-server.example.com should be replaced with the fully qualified machine name of your AD FS server.
  4. In the SAML Binding list, select the POST.
  5. In the Security Token Service Endpoint box, enter https://adfs-server.example.com/adfs/ls/ (again, adfs-server.example.com should be replaced with the fully qualified machine name of your AD FS server).

Note:

  • You must use SSL/HTTPS with AD FS.
  • You must include the trailing / character.
  1. Leave the User ID Attribute Name box empty. This tells Cezanne to read the user ID from the NameID element in the Subject of the assertion.
  2. Use the Public Key Certificate upload button to import the AD FS token signing public key certificate. This is the public key certificate for the key that was specified when AD FS was installed and can be found in AD FS under Services >> Certificates. Do not attempt to upload a private key; it will be automatically rejected.
  3. Click OK and then Save.

Associating AD Users with Cezanne Users

There are two ways to associate your users' AD identities with their Cezanne user accounts. You can use the User Settings screen to associate individual users or the SAML 2.0 Users Data Import to associate users in bulk.

Using the User Settings Screen

  1. Navigate to: System Setup >> Manage Users >> User Settings.
  2. Search for the user you wish to update.
  3. Select the Single Sign-On tab.
  4. In the SAML 2.0 Identifiers section, click Add New.
  5. In the Identity Provider column select AD FS and in the User Identifier column enter the user's AD username.
  6. Click Save.
Associating AD Users with Cezanne Users

Using the SAML 2.0 Users Data Import

  1. Navigate to: System Setup >> Data Management >> Import Data.
  2. Select SAML 2.0 Users on the Settings tab.
  3. Follow the on-screen instructions. For information about data imports, please refer to the Data Importing Knowledge Base article.
Testing
  1. If you haven’t done so already, associate your AD identity with a user account in Cezanne.
  2. Open your browser and navigate to https://{ad-fs-server-name}/adfs/ls/IdpInitiatedSignOn.aspx (where {ad-fs-server} is the fully qualified name of your AD FS server).
  3. If your browser displays an SSL certificate warning, check that the server name in the URL matches the subject name in the SSL certificate.
  4. Select Sign in to one of the following sites and Cezanne from the associated dropdown list.
  5. Click Continue to Sign In.
  6. If you are not automatically signed in to your Cezanne account, proceed to the Troubleshooting section below. Otherwise, you’re done!

Note:

  • If you cant login using the above url and the event viewer / application returns the error 'MSUS7065: There are no registered protocol handlers on path /adfs/ls to process the incoming request':
    1. Open the AD FS Management console.
    2. Right click Authentication Policies.
    3. Select Edit Global Primary Authentication.
    4. Enable Forms Authentication on Intranet.
    5. Restart the ADFS service.
Troubleshooting

If you’re unable to login despite entering your AD username and password correctly

Try disabling Extended Protection for Windows Authentication on the adfs/ls web application (as described in ‘Configuring Integrated Windows Authentication’). Unfortunately Extended Protection cannot be used with reverse proxies, virtual private networks and browsers other than Internet Explorer.

If you’re being prompted to enter your AD username and password despite being authenticated on the domain

If you are using Internet Explorer, check that Windows Authentication is enabled in your local computer’s Internet Settings:

  1. From the Windows Control Panel, Open Internet Options from the Windows Control Panel.
  2. Select the Advanced tab.
  3. Scroll down to the Security section in the settings tree and ensure Enable Integrated Windows Authentication is ticked.
  4. Click OK.
  5. If the setting wasn’t already enabled, restart your computer so that the change can take effect.
If you’re being prompted to enter your AD username and password despite being authenticated on the domain

If you are using Firefox, check that Firefox is configured to trust your domain:

  1. Enter ‘about:config’ in the Firefox URL bar and press enter.
  2. If prompted, click I’ll be careful, I promise!
  3. Type ‘ntlm-auth.trusted-uris’ into the search bar.
  4. Double click network.automatic-ntlm-auth.trusted-uris.
  5. If not already specified, enter the fully qualified name of your AD FS server (e.g. ‘adfs.mycompany.local’).
  6. Click OK and close the configuration tab.

If the problem occurs in Chrome and Firefox, but not Internet Explorer, try disabling the ‘Negotiate’ Windows Authentication protocol:

  1. Open Internet Information Services (IIS) Manager on your AD FS server.
  2. Navigate to Sites >> Default Web Site >> adfs >> ls.
  3. Double click on Authentication in the IIS section of the Features View.
  4. Right click Windows Authentication and select Providers.
  5. Select Negotiate and click Remove. You should be left with just NTLM.
  6. Click OK.
  7. Open the Windows Command Prompt as an administrator and run the following commands to restart IIS and AD FS:

iisreset

net stop "AD FS 2.0 Windows Service"

net start "AD FS 2.0 Windows Service"

  1. Try logging in through Chrome or Firefox again.

If you are able to log in successfully then your browser was previously attempting to authenticate using the Negotiate protocol and failing. The Negotiate protocol is considered more secure than NTLM but is less well supported by non-Microsoft browsers. If you wish to re-enable the Negotiate protocol, you may be able to work around some of these problems using browser, operating system and network specific registry settings that are beyond the scope of this document.

If the above instructions still do not work:

  1. In Windows, Click Start >> Control Panel >> Internet Options >> Security tab
  2. Select Local intranet and click Sites.
  1. Select Advanced.
  1. Add your ADFS server into the Websites list, e.g. https://adfs-server.example.com (You should check first with your system administrator before adding this).