This document outlines the steps for configuring Active Directory Federation Services (ADFS) to facilitate Single Sign-On (SSO) with Cinchy.
Certainly, presenting the information in a table can help make it easier to understand. Here's how you can structure it:
Before starting with the ADFS configuration, make sure to have following information:
Information Required | Description | Reference |
---|---|---|
Having these details readily available will streamline the ADFS configuration process.
Navigate to AD FS Management on your ADFS server.
Right-click on Relying Party Trusts and choose Add Relying Party Trust to open the Add Relying Party Trust Wizard.
In the wizard, select Claims Aware > Start > Select Data Source.
Select Enter Data About the Relying Part Manually > Next.
Fill in a Display Name under Specify Display Name.
Skip certificate configuration in Configure Certificates.
In Configure URL, select Enable support for the SAML 2.0 SSO Web SSO protocol.
Input your login URL as follows:
Under Configure Identifiers, add an Identifier and press Next to complete the setup.
Right-click on the newly created Relying Party Trust (located by its Display Name) and select Edit Claim Issuance Policy.
Select Add Rule > Claim Rule > Send LDAP Attributes as Claims.
Input a Claim Rule Name.
In the Attribute Store, select Active Directory. Map the LDAP attributes to the corresponding outgoing claim types as shown in the table below:
Select Finish.
Select Edit Rule > View Rule Language. Copy the Claim URLs for later use in configuring your Cinchy appsettings.json
. It should look like the following:
Press OK to confirm and save.
Note: Please ensure that the configurations below are case-sensitive and align exactly with those in your SAML IdP setup.
Retrieve and save the Federation Metadata XML file from the following location: https://{your.ADFS.server}/FederationMetadata/2007-06/FederationMetadata.xml
.
If needed, use IIS Manager to establish an HTTPS connection for the Cinchy website.
Also establish an HTTPS connection for the SSO site. Make sure the port number aligns with the one specified in the login URL.
You will need to refer to the Rule Language URLs you copied from the ADFS Configuration. Replace the placeholders below with your own URLs:
Insert the following lines within the <appSettings>
section of your web.config
file. Make sure to replace the {your.cinchy.url}
and {your.cinchysso.url}
with your Cinchy and Cinchy SSO values.
LDAP Attribute | Outgoing Claim Type | Comments |
---|---|---|
Right-click on Relying Party Trust > Properties. Move to the Advanced tab and select SHA-256 as the secure hash algorithm.
Attribute | Value or Description |
---|---|
Cinchy SSO URL
The URL of your Cinchy SSO instance
{your.cinchysso.url}
Cinchy URL
The URL of your main Cinchy instance
{your.cinchy.url}
Cinchy SSO Installation Path
Directory where CinchySSO files are located
{Path/to/CinchySSO}
ADFS Server
The URL of your ADFS server
{your.ADFS.server}
User-Principal-Name
Name ID
SAM-Account-Name
sub
Type sub
manually to avoid auto complete
Given-Name
Given Name
Required for Auto User Creation
Surname
Surname
Required for Auto User Creation
E-Mail-Address
E-Mail Address
Required for Auto User Creation
Is-Member-Of-DL
Role
Required for Auto User Creation
CinchyLoginRedirectUri
URL of the user login redirect
https://{your.cinchysso.url}/Account/LoginRedirect
CinchyPostLogoutRedirectUri
URL of the user post-logout redirect
https://{your.cinchy.url}
CertificatePath
Path to Cinchy SSO certificate
{Path/to/CinchySSO}\\cinchyidentitysrv.pfx
SAMLClientEntityId
Relying Party Identifier from earlier-configured Relying Party Trust
SAMLIDPEntityId
Entity ID for SAML IdP, found in FederationMetadata.xml
http://{your.AD.server}/adfs/services/trust
SAMLMetadataXmlPath
Location of saved FederationMetadata.xml from Initial setup
SAMLSSOServiceURL
URL path in Domain Controller's in-service endpoints
https://{your.AD.server}/Saml2/Acs
AcsURLModule
/Saml2
MaxRequestHeadersTotalSize
Maximum header size in bytes; adjustable if default is insufficient
MaxRequestBufferSize
Should be equal to or larger than MaxRequestHeadersTotalSize
MaxRequestBodySize
Maximum request body size in bytes (use -1
for default; usually no need to change)