Cinchy Platform Documentation
Search…
Cinchy v4.0.0
Cinchy Guides
API Guide
Deployment Guide
Configuring ADFS
The following outlines the configuration required in Active Directory Federation Services (ADFS) to enable Single Sign-On (SSO).
ADFS Configuration
On your ADFS Server, Open AD FS Management.
This will be your SAMLClientEntityId in your appsettings.json
Righ-click on Relying Party Trusts and select Add Relying Party Trust.
This will launch the Add Relying Party Trust Wizard.
Control Panel > System and Security > Administrative Tools > AD FS Management
ADFS Wizard
Welcome
Select Claims aware.
Click Start.
Select Data Source
Choose Enter data about the relying party manually.
Click Next.
Specify Display Name
Enter a Display Name of your choice.
Configure Certificate
Do not choose any certificates.
Configure URL
Select Enable support for the SAML 2.0 SSO Web SSO protocol.
Enter your login URL in the following format:
1
https://<cinchy-sso-URL>/Saml2/Acs
Copied!
Configure Identifiers, Choose Access Control Policy, Ready to Add Trust, Finish
Choose an Identifier and click Next until you are complete.
Claim Issuance Policy
- 1.Right-click on the Relying Party Trust you just created (look for the Display Name) and click Edit Claim Issuance Policy.
- 2.Click on the Add Rule... and choose Claim Rule as Send LDAP Attributes as Claims.
- 3.Add Claim rule name, choose Active Directory under Attribute store and map LDAP attribute to outgoing claim types:
LDAP Attribute
Outgoing Claim Type
Comments
User-Principal-Name
Name ID
​
SAM-Account-Name
sub
subwill need to be typed manually, make sure it does not autocomplete to something else like subject.
4. Click Finish.
5. Click on Edit Rule...
6. Click on View Rule Language and copy out the Claim URLs for the claims defined. This information will be needed in a later step to configure your Cinchy appsettings.json. This will look something like this:
1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
2
=> issue(store = "Active Directory",
3
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
4
"sub",
5
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
6
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
7
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
8
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
9
query = ";userPrincipalName,sAMAccountName,givenName,sn,mail,memberOf;{0}",
10
param = c.Value);
Copied!
7. Click Ok to save the rule.
8. Right-click on your Relying Party Trust again and click Properties.
9. Go to the Advanced tab and set the secure hash algorithm to SHA-256
Cinchy Configuration
Everything below is case sensitive and must match whatever is specified in your SAML IdP configuration.
- 1.Open
https://<your.AD.server>/FederationMetadata/2007-06/FederationMetadata.xmlin a browser and save the XML file in the cinchysso folder. - 2.Open IIS Manager and create an HTTPS binding on the Cinchy site (if necessary).
- 3.Go to sso site and bind HTTPS with it. Make sure to use the same port as the login URL above if specified.
Cinchy appsettings.json
AppSettings Section
Attribute
Value
CinchyLoginRedirectUri
https://<cinchy-sso-URL>/Account/LoginRedirectCinchyPostLogoutRedirectUri
https://<Cinchy-Web-URL>CertificatePath
<Path to cinchysso>\\cinchyidentitysrv.pfxSAMLClientEntityId
Relying party identifier from Relying Party Trust above
SAMLIDPEntityId
http://<AD-Server>/adfs/services/trustYour FederationMetadata.xml will have this near the beginning. Note that this is the entityID, not the ID.
SAMLMetadataXmlPath
<Path to cinchysso>\\FederationMetadata.xmlThis is the location where you placed the FederationMetadata.xml in step 1.
SAMLSSOServiceURL
In Domain controller, in-service endpoints, look for type Saml 2, URL path:
https://<AD-Server>/Saml2/Acs Same as the login URL provided to the wizard in the ADFS Configuration
AcsURLModule
/Saml2MaxRequestHeadersTotalSize
Integer
Bytes to set the max request header to. If the default (likely 32kb) does not work, you may have to set this larger to accommodate a large number of groups.
MaxRequestBufferSize
Integer
This should be equal or larger than your header's total size above.
MaxRequestBodySize
Integer
If any of these values are -1 they will use the default. It is not necessary to change the body size.
External Identity Claim Section
You will need the Rule Language URLs you copied out from the ADFS Configuration above. Using the same example as above, we would get the following (replace with your own URLs).
1
{
2
"AppSettings": {
3
...
4
},
5
"ExternalIdentityClaimSection": {
6
"FirstName": {
7
"ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
8
},
9
"LastName": {
10
"ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
11
},
12
"Email": {
13
"ExternalClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
14
},
15
"MemberOf": {
16
"ExternalClaimName": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
17
}
18
}
19
}
Copied!
Web.config
Add the 3 following lines to your web.config within the appSettings section:
1
<appSettings>
2
...
3
<add key="UseHttps" value="true" />
4
<add key="StsAuthorityUri" value="https://<your.cinchy.url>" />
5
<add key="StsRedirectUri" value="https://<your.cinchysso.url>/Account/LoginRedirect" />
6
...
7
</appSettings>
Copied!
Last modified 1yr ago