ADFS Introduction

Active Directory Federation Services (ADFS) is used to allow individuals within an organization to use their Active Directory Credentials to login to third party applications such as Project Insight. The benefits of this is that users do not need to remember another set of login credentials and should the employee leave the organization disallowing their entry into the application is as easy as disabling or deleting them from the organizations Active Directory.

The configuration of an ADFS system should be performed by an experienced Windows Server Administrator in accordance with instructions provided by Microsoft. Microsoft TechNet is the best online resource for the latest and most accurate information on ADFS. Instructions within this topic are intended as an example of ADFS Single Sign-on (SSO) configuration as it relates to settings specifically within Project Insight as a Service Provider.

ADFS PI Configure

To get started open the ADFS Configuration Manager. If the ADFS Configuration Manager is not available you will need to install and configure ADFS from Microsoft in guidelines to the version of Windows Server you are using. Once installed and configured you will need to add Project Insight to the Relying Party Trusts. Doing so is extremely easy.

Step 1

Right Click on Relying Party Trust and click “Add Relying Party Trust”

Step 2

The “Add Relying Party Trust Wizard” appears. Click Start to get to the following Select Data Source options. In the “Select Data Source” section make sure “Enter data about the relying party manually” is selected and press "Next"

Step 3

In the "Specify Display Name" enter a name for your Project Insight website that you can easily remember. We like to use the format "[DomainName]" as our naming scheme for new SSO sites.

Step 4

In the next section "Choose Profile" select 2.0 profile.

Step 5

The next step is to configure the Encryption Certificate, we do not utilize this as it is an optional security setting. Because of this we highly recommend to always use SSL with your Server.

Step 6

In "Configure URL" select "Enable support for the SAML 2.0 WebSSO protocol" check box and then enter the URL to your project insight instance in the format of "https://[YOUR DOMAIN]" remembering to replace [YOUR DOMAIN] with your instance of PI. Note that the url includes the "l.aspx" this is important to include here.

Step 7

In "Configure Identifiers" again enter the url for your instance of Project Insight in the format "https://[YOUR DOMAIN]". Note that this url does not contain the "l.aspx", this is important to exclude here.

Step 8

In the “Choose Issuance Authorization Rules” select “Permit all users to access this relying party” option.

Step 9

In the “Ready to Add Trust” verify the information and click next.

Step 10

You will see two additional confirmation pages to finish with the Wizard.

Once the Wizard has closed you will be prompted to setup the Claims that the ADFS will send. You can setup claims now or later but for SSO to work properly with Project Insight you will need to make one more setting change the wizard does not allow you to alter until after the configuration is finished.

Step 11

Before we are finished however we need to make one adjustment to the configuration. On the Relying party Trusts tab, select the SSO configuration you just setup. A Properties Dialog will appear. Select the "Advanced" tab. Change the "Secure Hash Algorithm" from "SHA-256" to "SHA-1".

You have now setup the Trust relationship between Project Insight and your Active Directory Federation Service.

Online 1/25/2017