Introduction
This cheat-sheet assumes you have ADFS 4 on Windows Server 2016/2019 already running for your company internal domain and simply wish to add Authentic8 Silo Access Portal (SAP) as a new Service Provider.
A8 Admin Console
Define your vanity URL e.g. mitchmurray (fictional customer) by editing your Org name.
Enable SAML
Download the SP Encryption Certificate SP_cert.crt to your computer.
Do not hit save, leave page open.
ADFS - use Add Relying Party Trust wizard
- Choose “Claims aware”
- Choose Enter data about the relying party manually
- For simplicity name it the same as your vanity URL e.g. mitchmurray
- Choose AD FS profile (the one that supports SAML 2.0)
- Browse to and open the SP_cert.crt from your computer (you will need to change your filter to “All Files (*.*)”
- Enable support for SAML 2.0 WebSSO Protocol
- Copy/Paste the SP Entity ID URL from AC for “Relying party SAML 2.0 SSO
- Copy/Paste the SP Entity ID URL from AC for “relying party trust identifier” e.g. https://getsilo.com/sso/saml/mitchmurray/
- Click Add
- Click Next to Permit everyone
- Click Next
- Leave “Configure claims checked
2. Add rules - Click Edit Claim Issuance Policy...
i. Click Add rule
ii. Choose Send LDAP Attr as Claims
iii. Name rule
iv. Set Attribute Store to Active Directory
v. LDAP Attr column set to E-mail addresses
Pro Tip: If you choose to use a field other than the user’s email address as their Silo username, enter that here instead of E-Mail addresses e.g. otherMailbox. Because these are Silo usernames they need to be unique to all Silo customers so ensure you populate a sufficiently unique value such as <employee number>@mitchmurray.com e.g. <[email protected]>
i. Outgoing claim set to to E-mail address
ii. Click Finish .
iii. Transform incoming claims
i. Click Add rule
ii.Transform an Incoming Claim
iii. Name it
iv. Incoming Claim type: E-mail address Outgoing claim type: Name ID
vi. Outgoing name ID format: Email
vii. Click Finish
Export the IdP Token-Signing certificate for upload to the Silo Admin Console in Base64 encoded X.509.
4. Configure the SAML Response Signature
a. In an admin powershell command prompt run
b. Set-AdfsRelyingPartyTrust -TargetName <vanity URL> (e.g. mitchmurray) -SamlResponseSignature "MessageAndAssertion"
A8 Admin Console
Idp Issuer: <vanity URL> (e.g. mitchmurray)
IdP Login URL: https://<ADFS FQDN Server name>/adfs/ls
IdP Signing Certificate: Upload the AD FS Signature Verification cert e.g. FromADFStoAC, click Save.
Errors
Failed to Parse SAML Token
Ensure that the user you are trying to sync exists in Silo and Active Directory with the same email address
It may be necessary to upload your IdP Signing Cert to the Silo Admin Console in Unix Line Format. Open the cert in Notepad++ or similar, click Edit, EOL Conversion, Unix LF.
Debugging
ADFS Server - you can review all of your settings with the PowerShell command “Get- ADFSRelyingPartyTrust <vanity URL>” (e.g. mitchmurray). You can enable debug logs temporarily with these instructions: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
You can test if your AD FS is setup correctly after you enable the IdP Initiated Sign On Admin Powershell:
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true o Then open https://<ADFS FQDN Server name>/adfs/ls/IdPInitiatedSignOn.Aspx
HTTP 400 Error
Open ADSI Edit o Open the service account used to login to ADFS
Open servicePrincipalName, ensure http/servername and http/FQDN Server name exists there.
IWA Not working
Try the solution for HTTP 400 Error above.
Expand the supported IWA agents with the following command Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Firefox/47.0", "Mozilla/4.0", "Mozilla/5.0")
Additional Notes
Please contact Support if you have any additional questions and/or require further information.