Introduction

This cheat-sheet assumes you have ADFS 4 on Windows Server 2016/2019 already running for your company internal domain and simply wish to add Authentic8 Silo Access Portal (SAP) as a new Service Provider.


A8 Admin Console

  1. Define your vanity URL e.g. mitchmurray (fictional customer) by editing your Org name.

  2. Enable SAML

  3. Download the SP Encryption Certificate SP_cert.crt to your computer. 

  4. Do not hit save, leave page open.


ADFS - use Add Relying Party Trust wizard

  1.  Choose “Claims aware”
  2. Choose Enter data about the relying party manually
  3.  For simplicity name it the same as your vanity URL e.g. mitchmurray
  4. Choose AD FS profile (the one that supports SAML 2.0)
  5. Browse to and open the SP_cert.crt from your computer (you will need to change your filter to “All Files (*.*)”
  6. Enable support for SAML 2.0 WebSSO Protocol
  7. Copy/Paste the SP Entity ID URL from AC for “Relying party SAML 2.0 SSO
  8. Copy/Paste the SP Entity ID URL from AC for “relying party trust identifier” e.g. https://getsilo.com/sso/saml/mitchmurray/
  9. Click Add
  10. Click Next to Permit everyone
  11. Click Next
  12.  Leave “Configure claims checked

2. Add rules - Click Edit Claim Issuance Policy...


i. Click Add rule

ii. Choose Send LDAP Attr as Claims

iii. Name rule

iv. Set Attribute Store to Active Directory

v. LDAP Attr column set to E-mail addresses


Pro Tip: If you choose to use a field other than the user’s email address as their Silo username, enter that here instead of E-Mail addresses e.g. otherMailbox. Because these are Silo usernames they need to be unique to all Silo customers so ensure you populate a sufficiently unique value such as <employee number>@mitchmurray.com e.g.


i. Outgoing claim set to to E-mail address

ii. Click Finish .

iii. Transform incoming claims


 i. Click Add rule 

ii.Transform an Incoming Claim 

iii. Name it 

iv. Incoming Claim type: E-mail address Outgoing claim type: Name ID

 vi. Outgoing name ID format: Email 

vii. Click Finish

  1. Export the IdP Token-Signing certificate for upload to the Silo Admin Console in Base64 encoded X.509.


4. Configure the SAML Response Signature


a. In an admin powershell command prompt run 

b. Set-AdfsRelyingPartyTrust -TargetName <vanity URL> (e.g. mitchmurray) -SamlResponseSignature "MessageAndAssertion"


A8 Admin Console

Idp Issuer: <vanity URL> (e.g. mitchmurray) 

IdP Login URL: https://<ADFS FQDN Server name>/adfs/ls

IdP Signing Certificate: Upload the AD FS Signature Verification cert e.g. FromADFStoAC, click Save.


Errors


Failed to Parse SAML Token

  • Ensure that the user you are trying to sync exists in Silo and Active Directory with the same email address

  • It may be necessary to upload your IdP Signing Cert to the Silo Admin Console in Unix Line Format. Open the cert in Notepad++ or similar, click Edit, EOL Conversion, Unix LF.


Debugging

  • ADFS Server - you can review all of your settings with the PowerShell command “Get- ADFSRelyingPartyTrust <vanity URL>” (e.g. mitchmurray). You can enable debug logs temporarily with these instructions: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging

  • You can test if your AD FS is setup correctly after you enable the IdP Initiated Sign On Admin Powershell:

    • Set-AdfsProperties -EnableIdPInitiatedSignonPage $true o Then open https://<ADFS FQDN Server name>/adfs/ls/IdPInitiatedSignOn.Aspx

  • HTTP 400 Error

    • Open ADSI Edit o Open the service account used to login to ADFS

  • Open servicePrincipalName, ensure http/servername and http/FQDN Server name exists there.

  • IWA Not working

    • Try the solution for HTTP 400 Error above.

    • Expand the supported IWA agents with the following command Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Firefox/47.0", "Mozilla/4.0", "Mozilla/5.0")


*Note: Authentic8 makes no warranty on third-party software. We assume no responsibility for errors or omissions in the third-party software or documentation available. Using such software is done entirely at your own discretion and risk.



Additional Notes  

Please contact Support if you have any additional questions and/or require further information.