Enterprise - Implementing Coviu with on-Prem ADFS SSO in your Organisation

This article explains the steps taken to integrate Coviu into your on-prem ADFS Single Sign-On (SSO) system.

Last updated: Feb 2021

 

Coviu now provides system administrators with an SSO self-implement tool built in to your Coviu Enterprise account. I recommend taking a look at this help article first and then coming back to undertake the below actions.

 

NOTE: Engage your Corporate IT staff to undertake the following actions

Steps

Following are the steps required to configure ADFS to work with Coviu. The PowerShell instructions listed need to be executed to perform these actions.

1. Setup the unique identifier (SPN)

Add the unique identifier ID (SPN) to be used to let the Coviu application (client) identify the ADFS service. More information on SPN can be found here - https://support.microsoft.com/en-au/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on

Your SPN unique ID should be the platform domain mapping for your enterprise platform (for example: demo.oncoviu.com)

Powershell command:

$: Add-AdfsRelyingPartyTrust -Name Coviu -Identifier spn:{unique_id}

2. Setup the callback URL

Add the callback URL to send SAML authentication response back to.

Powershell commands:

$: $SamlEndpoint = New-AdfsSamlEndpoint -Binding "POST" -Protocol "SAMLAssertionConsumer" -Uri {to be provided by Coviu}
$: Set-AdfsRelyingPartyTrust -TargetName Coviu -SamlEndpoint $SamlEndpoint

3. (Optional) Add security groups

If needed, create add appropriate security groups in your organisation that you want to give access to using SAML for authentication.

Powershell command:

$: Set-AdfsRelyingPartyTrust -TargetName "Coviu" -AccessControlPolicyName "{name of policy name}" -AccessControlPolicyParameters @{GroupParameter="{group parameter name}"}

4. Setup claim transformation rules

To map the SAML response claims, to ones that Coviu can understand, use the following command:

$: Set-AdfsRelyingPartyTrust -TargetName Coviu -IssuanceTransformRules '
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","http://schemas.microsoft.com/identity/claims/displayname"), query = ";mail,displayname;{0}", param = c.Value);
>> c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
>> c:[Type == "http://schemas.microsoft.com/identity/claims/displayname"] => issue(claim = c);'

Verification

Following the above steps should successfully setup and configure your ADFS service to authenticate on behalf of Coviu.

To verify the setup, run this command from Powershell:

$: Get-ADFSRelyingPartyTrust -Name coviu

The response of this command should look similar to this:

AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {spn:unique_id from step 1}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : acbbb0b0-443f-eb11-845d-005056a71e43
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
ScopeGroupIdentifier :
DeviceAuthenticationMethod :
Name : Coviu
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules :
IssuanceTransformRules : c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.microsoft.com/identity/claims/displayname"), query = ";mail,displayname;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer =
c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

c:[Type == "http://schemas.microsoft.com/identity/claims/displayname"]
=> issue(claim = c);


DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 1/01/1900 11:00:00 AM
LastMonitoredTime : 1/01/1900 11:00:00 AM
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName : Policy name from step 3
AccessControlPolicyParameters : Parameters set in step 3
ResultantPolicy : Details of the security group policy if setup in step 3

 

FAQs

  1. Do we integrate with other SSO technologies?
    1. Information on integrating with Azure ADFS can be found here.
    2. If your organisation uses another means for SSO, let us know. Register your interest with your Coviu account representative.
  2. Do we support SAML 2.0?
    1. Yes, SAML 2.0 is the protocol we support at the moment.
  3. Is our product (Coviu) listed in the Azure Marketplace/Gallery?
    1. No. Not at this stage.
  4. Authentication state?
    1. Forms based.
  5. Do we require Microsoft ADFS 3.0 to encrypt assertions to protect data leakage of sensitive information passed back to Coviu during logon?
    1. We don't support this extra layer of encryption at the moment.
  6. Do we require the Microsoft ADFS 3.0 to sign their assertions?
    1. Yes, we validate the signatures when we receive a request/response from Microsoft ADFS 3.0.
  7. Do we allow unique identifiers other than a users email address?
    1. No. At this stage, we require all user identifiers to be their email address.