This cheat-sheet assumes you have ADFS 4 on Windows Server 2016/2019 already running for your company internal domain and simply wish to add Authentic8 Silo Access Portal (SAP) as a new Service Provider.
A8 Admin Console
Enable Portal, define a company identifier e.g. mitchmurray (fictional customer)
Download the SP Encryption Certificate SP_cert.crt to your computer.
Do not hit save, leave page open.
ADFS - use Add Relying Party Trust wizard
- Choose “Claims aware”
- Choose Enter data about the relying party manually
- For simplicity name it your company identifier e.g. mitchmurray
- Choose AD FS profile (the one that supports SAML 2.0)
- Browse to and open the SP_cert.crt from your computer (you will need to change your filter to “All Files (*.*)”
- Enable support for SAML 2.0 WebSSO Protocol
- Copy/Paste the SP Entity ID URL from AC for “Relying party SAML 2.0 SSO
- Copy/Paste the SP Entity ID URL from AC for “relying party trust identifier” e.g. https://getsilo.com/sso/saml/mitchmurray/
- Click Add
- Click Next to Permit everyone
- Click Next
- Leave “Configure claims checked
2. Add rules
i. Click Add rule
ii. Choose Send LDAP Attr as Claims
iii. Name rule
iv. Set Attribute Store to Active Directory
v. LDAP Attr column set to E-mail addresses
Pro Tip: If you choose to use a field other than the user’s email address as their Silo username, enter that here instead of E-Mail addresses e.g. Other Mailbox. Because these are Silo usernames they need to be unique to all Silo customers so ensure you populate a sufficiently unique value such as <employee number>@mitchmurray.com e.g.
i. Outgoing claim set to to E-mail address
ii. Click Finish .
iii. Transform incoming claims
i. Click Add rule
ii.Transform an Incoming Claim
iii. Name it
iv. Incoming Claim type: E-mail address Outgoing claim type: Name ID
vi. Outgoing name ID format: Email
vii. Click Finish
Export the IdP Token-Signing certificate for upload to the Silo Admin Console.
4. Configure the SAML Response Signature
a. In an admin powershell command prompt run
-TargetName <company identifier> (e.g. mitchmurray)
A8 Admin Console
Idp Issuer: <company identifier> (e.g. mitchmurray) IdP Login URL: https://<ADFS FQDN Server name>/adfs/ls
IdP Signing Certificate: Upload the AD FS Signature Verification cert e.g. FromADFStoAC, click Save.
Failed to Parse SAML Token
Ensure that the user you are trying to sync exists in Silo and Active Directory with the same email address
It may be necessary to upload your IdP Signing Cert to the Silo Admin Console in Unix Line Format. Open the cert in Notepad++ or similar, click Edit, EOL Conversion, Unix LF.
ADFS Server - you can review all of your settings with the PowerShell command “Get- ADFSRelyingPartyTrust <company identifier>” (e.g. mitchmurray)
You can test if your AD FS is setup correctly after you enable the IdP Initiated Sign On Admin Powershell:
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true o Then open https://<ADFS FQDN Server name>/adfs/ls/IdPInitiatedSignOn.Aspx
HTTP 400 Error
Open ADSI Edit o Open the service account used to login to ADFS
Open servicePrincipalName, ensure http/servername and http/FQDN Server name exists there.
IWA Not working
Try the solution for HTTP 400 Error above.
Expand the supported IWA agents with the following command Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Firefox/47.0", "Mozilla/4.0", "Mozilla/5.0")
Please contact Support if you have any additional questions and/or require further information.