Cinchy Platform Documentation
Cinchy v5.0 - v5.5
Cinchy v5.0 - v5.5
  • Data Collaboration Overview
  • Other Wiki Spaces
    • Cinchy Data Sync
    • Angular SDK
    • JavaScript SQK
  • Release Notes
    • Release Notes
      • 5.0 Release Notes
      • 5.1 Release Notes
      • 5.2 Release Notes
      • 5.3 Release Notes
      • 5.4 Release Notes
      • 5.5 Release Notes
      • 5.6 Release Notes
  • Getting Help
  • Frequently Asked Questions
  • Deployment Guide
    • Deployment Installation Guides
      • Deployment Planning Overview and Checklist
        • Deployment Architecture Overview
          • Kubernetes Deployment Architecture
          • IIS Deployment Architecture
        • Deployment Prerequisites
          • Single Sign-On (SSO) Integration
            • Enabling TLS 1.2
            • Configuring ADFS
            • AD Group Integration
      • Kubernetes Deployment Installation
        • Disabling your Kubernetes Applications
        • Changing your File Storage Configuration
        • Using Self-Signed SSL Certs (Kubernetes Deployments)
        • Deploying the CLI (Kubernetes)
      • IIS Deployment Platform Installation
        • Deploying Connections and the CLI (IIS)
        • Deploying the Event Listener/Worker (IIS)
    • Upgrade Guides
      • Upgrading Cinchy Versions
        • Cinchy Upgrade Utility
        • Kubernetes Upgrades
          • v5.1 (Kubernetes)
          • v5.2 (Kubernetes)
          • v5.3 (Kubernetes)
          • v5.4 (Kubernetes)
          • v5.5 (Kubernetes)
          • v5.6 (Kubernetes)
          • Updating the Kubernetes Image Registry
          • Upgrading AWS EKS Kubernetes Version
          • Upgrading AKS (Azure Kubernetes Service)
        • IIS Upgrades
          • v4.21 (IIS)
          • v4.x to v5.x (IIS)
          • v5.1 (IIS)
          • v5.2 (IIS)
          • v5.3 (IIS)
          • v5.4 (IIS)
          • v5.5 (IIS)
          • v5.6 (IIS)
      • Upgrading from v4 to v5
  • Guides for Using Cinchy
    • User Guides
      • Overview of the Data Browser
      • The Admin Panel
      • User Preferences
        • Personal Access Tokens
      • Table Features
      • Data Management
      • Queries
      • Version Management
        • Versioning Best Practices
      • Commentary
    • Builder Guides
      • Best Practices
      • Creating Tables
        • Attaching Files
        • Columns
        • Data Controls
          • Data Entitlements
          • Data Erasure
          • Data Compression
        • Restoring Tables, Columns, and Rows
        • Formatting Rules
        • Indexing and Partitioning
        • Linking Data
        • Table and Column GUIDs
        • System Tables
      • Saved Queries
      • CinchyDXD Utility
        • Building the Data Experience (CinchyDXD)
        • Packaging the Data Experience (CinchyDXD)
        • Installing the Data Experience (CinchyDXD)
        • Updating the Data Experience (CinchyDXD)
        • Repackaging the Data Experience (CinchyDXD)
        • Reinstalling the Data Experience (CinchyDXD)
      • Multi-Lingual Support
      • Integration Guides
    • Administrator Guide
    • Additional Guides
      • Monitoring and Logging on Kubernetes
        • Grafana
        • Opensearch Dashboards
          • Setting up Alerts
        • Monitoring via ArgoCD
      • Maintenance
      • GraphQL (Beta)
      • System Properties
      • Enable Data At Rest Encryption
      • MDQE
      • Application Experiences
        • Network Map
          • Custom Node Results
          • Custom Results in the Network Map
        • Setting Up Experiences
  • API Guide
    • API Overview
      • API Authentication
      • API Saved Queries
      • ExecuteCQL
      • Webhook Ingestion
  • CQL
    • The Basics of CQL
      • CQL Examples
      • CQL Functions Master List
      • CQL Statements Overview
        • Cinchy DML Statements
        • Cinchy DDL Statements
      • Cinchy Supported Functions
        • Cinchy Functions
        • Cinchy System Values
        • Cinchy User Defined Functions
          • Table-Valued Functions
          • Scalar-Valued Functions
        • Conversion Functions
        • Date and Time Types and Functions
          • Return System Date and Time Values
          • Return Date and Time Parts
          • Return Date and Time Values From Their Parts
          • Return Date and Time Difference Values
          • Modify Date and Time Values
          • Validate Date and Time Values
        • Logical Functions
        • Mathematical Functions
        • String Functions
        • Geometry and Geography Data Type and Functions
          • OGC Methods on Geometry & Geography Instances
          • Extended Methods on Geometry & Geography Instances
        • Full Text Search Functions
        • Connections Functions
        • JSON Functions
  • Meta Forms
    • Introduction to Meta-Forms
    • Meta-Forms Deployment Installation Guide
      • Deploying Meta-Forms (Kubernetes)
      • Deploying Meta-Forms (IIS)
    • Creating a Dynamic Meta-Form (Using Tables)
    • Creating a Dynamic Meta-Form Example (Using Form Designer)
    • Forms Data Types
    • Adding Links to a Form
    • Rich Text Editing in Forms
Powered by GitBook
On this page
  • Table of Contents
  • 1. ADFS Configuration
  • 2. Claim Issuance Policy
  • 3. Cinchy Configuration
  • Cinchy appsettings.json
  • Web.config

Was this helpful?

Export as PDF
  1. Deployment Guide
  2. Deployment Installation Guides
  3. Deployment Planning Overview and Checklist
  4. Deployment Prerequisites
  5. Single Sign-On (SSO) Integration

Configuring ADFS

The following outlines the configuration required in Active Directory Federation Services (ADFS) to enable Single Sign-On (SSO).

PreviousEnabling TLS 1.2NextAD Group Integration

Last updated 2 years ago

Was this helpful?

Table of Contents

Table of Contents

1. ADFS Configuration

  1. On your ADFS Server, Open AD FS Management.

2. Right-click on Relying Party Trusts and select Add Relying Party Trust to launch the Add Relying Party Trust Wizard (Image 1).

3. In the ADFS Wizard, select Claims Aware > Start > Select Data Source

4. Select Enter Data About the Relying Part Manually > Next

5. Under Specify Display Name, enter a Display Name of your choice

6. Under Configure Certificates, do not choose any certificates

7. Under Configure URL, Select Enable support for the SAML 2.0 SSO Web SSO protocol.

8. Enter your Login URL in the below format:

https://<cinchy-sso-URL>/Saml2/Acs

9. Under Configure Identifiers, choose an Identifier

10. Select Next until the process finishes.

2. Claim Issuance Policy

  1. To begin configuring you Claim Issuance policy, Right-click on the Relying Party Trust you just created (look for the Display Name) and click Edit Claim Issuance Policy.

  2. Click on Add Rule > Claim Rule > Send LDAP Attributes as Claims.

  3. Add your Claim Rule Name

  4. Under Attribute Store, choose Active Directory. Map the LDAP attribute to the following outgoing claim types:

LDAP Attribute

Outgoing Claim Type

Comments

User-Principal-Name

Name ID

SAM-Account-Name

sub

subwill need to be typed manually, make sure it does not autocomplete to something else like subject.

Given-Name

Given Name

Necessary for Automatic User Creation

Surname

Surname

Necessary for Automatic User Creation

E-Mail-Address

E-Mail Address

Necessary for Automatic User Creation

Is-Member-Of-DL

Role

Necessary for Automatic User Creation

4. Click Finish.

5. Click on Edit Rule.

6. Click on View Rule Language and copy out the Claim URLs for the claims defined. This information will be needed in a later step to configure your Cinchy appsettings.json. This will look something like this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
  => issue(store = "Active Directory",
           types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
                    "sub",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
                    "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
           query = ";userPrincipalName,sAMAccountName,givenName,sn,mail,memberOf;{0}",
           param = c.Value);

7. Click OK to save the rule.

8. Right-click on Relying Party Trust > Properties.

9. Go to the Advanced tab and set the secure hash algorithm to SHA-256 (Image 3).

3. Cinchy Configuration

Everything below is case sensitive and must match whatever is specified in your SAML IdP configuration.

  1. Open https://<your.AD.server>/FederationMetadata/2007-06/FederationMetadata.xml in a browser and save the XML file in the cinchysso folder.

  2. Open IIS Manager and create an HTTPS binding on the Cinchy site (if necessary).

  3. Go to sso site and bind HTTPS with it. Make sure to use the same port as the login URL above if specified.

Cinchy appsettings.json

AppSettings Section

Attribute

Value

CinchyLoginRedirectUri

https://<cinchy-sso-URL>/Account/LoginRedirect

CinchyPostLogoutRedirectUri

https://<Cinchy-Web-URL>

CertificatePath

<Path to cinchysso>\\cinchyidentitysrv.pfx

SAMLClientEntityId

Relying party identifier from Relying Party Trust above

SAMLIDPEntityId

http://<AD-Server>/adfs/services/trust

Your FederationMetadata.xml will have this near the beginning. Note that this is the entityID, not the ID.

SAMLMetadataXmlPath

<Path to cinchysso>\\FederationMetadata.xml

This is the location where you placed the FederationMetadata.xml in step 1.

SAMLSSOServiceURL

This value can be found in the Location attribute from the FederationMetaData.xml file, and is also the same Login URL that you input in Section 1, Step 8 of this guide.

It is formatted as follows: https://<AD-Server>/Saml2/Acs

Example: https://<cinchy-sso-URL>/Saml2/Acs

AcsURLModule

/Saml2

MaxRequestHeadersTotalSize

Integer

Bytes to set the max request header to. If the default (likely 32kb) does not work, you may have to set this larger to accommodate a large number of groups.

MaxRequestBufferSize

Integer

This should be equal or larger than your header's total size above.

MaxRequestBodySize

Integer

If any of these values are -1 they will use the default. It is not necessary to change the body size.

External Identity Claim Section

You will need the Rule Language URLs you copied out from the ADFS Configuration above. Using the same example as above, we would get the following (replace with your own URLs).

{
  "AppSettings": {
    ...
    },
  "ExternalIdentityClaimSection": {
    "FirstName": {
      "ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    },
    "LastName": {
      "ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    },
    "Email": {
      "ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    },
    "MemberOf": {
      "ExternalClaimName": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
    }
  }
}

Web.config

Add the 3 following lines to your web.config within the appSettings section:

<appSettings>
  ...
  <add key="UseHttps" value="true" />
  <add key="StsAuthorityUri" value="https://<your.cinchy.url>" />
  <add key="StsRedirectUri" value="https://<your.cinchysso.url>/Account/LoginRedirect" />
  ...
</appSettings>

#1.-adfs-configuration
#2.-claim-issuance-policy
#3.-cinchy-configuration
Image 1: Add Relying Party Trust Wizard
Image 2: Add Transform Claim Rule Wizard
Image 3: Set the secure hash algorithm to SHA-256