Enterprise - Implementing Coviu with on-Prem ADFS SSO in your Organisation

This article explains the steps taken to integrate Coviu into your on-prem ADFS Single Sign-On (SSO) system.

Last updated: Dec 2020

Engage your Corporate IT staff to undertake the following actions in-line with cooperation from the Coviu IT team:

Steps

Following are the steps required to configure ADFS to work with Coviu. The PowerShell instructions listed need to be executed to perform these actions.

1. Setup the unique identifier (SPN)

Add the unique identifier ID (SPN) to be used to let the Coviu application (client) identify the ADFS service. More information on SPN can be found here - https://support.microsoft.com/en-au/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on

Your SPN unique ID should be the platform domain mapping for your enterprise platform (for example: demo.oncoviu.com)

Powershell command:

$: Add-AdfsRelyingPartyTrust -Name Coviu -Identifier spn:{unique_id}

2. Setup the callback URL

Add the callback URL to send SAML authentication response back to.

Powershell commands:

$: $SamlEndpoint = New-AdfsSamlEndpoint -Binding "POST" -Protocol "SAMLAssertionConsumer" -Uri {to be provided by Coviu}
$: Set-AdfsRelyingPartyTrust -TargetName Coviu -SamlEndpoint $SamlEndpoint

3. (Optional) Add security groups

If needed, create add appropriate security groups in your organisation that you want to give access to using SAML for authentication.

Powershell command:

$: Set-AdfsRelyingPartyTrust -TargetName "Coviu" -AccessControlPolicyName "{name of policy name}" -AccessControlPolicyParameters @{GroupParameter="{group parameter name}"}

4. Setup claim transformation rules

To map the SAML response claims, to ones that Coviu can understand, use the following command:

$: Set-AdfsRelyingPartyTrust -TargetName Coviu -IssuanceTransformRules '
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","http://schemas.microsoft.com/identity/claims/displayname"), query = ";mail,displayname;{0}", param = c.Value);
>> c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
>> c:[Type == "http://schemas.microsoft.com/identity/claims/displayname"] => issue(claim = c);'

Verification

Following the above steps should successfully setup and configure your ADFS service to authenticate on behalf of Coviu.

To verify the setup, run this command from Powershell:

$: Get-ADFSRelyingPartyTrust -Name coviu

The response of this command should look similar to this:

AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {spn:unique_id from step 1}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : acbbb0b0-443f-eb11-845d-005056a71e43
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
ScopeGroupIdentifier :
DeviceAuthenticationMethod :
Name : Coviu
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules :
IssuanceTransformRules : c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.microsoft.com/identity/claims/displayname"), query = ";mail,displayname;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer =
c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

c:[Type == "http://schemas.microsoft.com/identity/claims/displayname"]
=> issue(claim = c);


DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 1/01/1900 11:00:00 AM
LastMonitoredTime : 1/01/1900 11:00:00 AM
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName : Policy name from step 3
AccessControlPolicyParameters : Parameters set in step 3
ResultantPolicy : Details of the security group policy if setup in step 3

 

FAQs

  1. Do we integrate with other SSO technologies?
    1. Information on integrating with Azure ADFS can be found here.
    2. If your organisation uses another means for SSO, let us know. Register your interest with your Coviu account representative.