Configure SAML 2.0 SSO with ADFS

ADFS Introduction

Active Directory Federation Services (ADFS) is used to allow individuals within an organization to use their Active Directory Credentials to login to third party applications such as Project Insight. The benefits of this is that users do not need to remember another set of login credentials and should the employee leave the organization disallowing their entry into the application is as easy as disabling or deleting them from the organizations Active Directory.

The configuration of an ADFS system should be performed by an experienced Windows Server Administrator in accordance with instructions provided by Microsoft. Microsoft TechNet is the best online resource for the latest and most accurate information on ADFS. Instructions within this topic are intended as an example of ADFS Single Sign-on (SSO) configuration as it relates to settings specifically within Project Insight as a Service Provider.

ADFS PI Configure

To get started open the ADFS Configuration Manager. If the ADFS Configuration Manager is not available you will need to install and configure ADFS from Microsoft in guidelines to the version of Windows Server you are using. Once installed and configured you will need to add Project Insight to the Relying Party Trusts.

Step 1

Right Click on Relying Party Trust and click “Add Relying Party Trust”

Step 2

The “Add Relying Party Trust Wizard” appears. Click Start to get to the following Select Data Source options. In the “Select Data Source” section make sure “Enter data about the relying party manually” is selected and press "Next"

Step 3

In the "Specify Display Name" enter a name for your Project Insight website that you can easily remember. We like to use the format "[DomainName]" as our naming scheme for new SSO sites.

Step 4

In the next section "Choose Profile" select AD FS profile.

Step 5

The next step is to configure the Encryption Certificate, we do not utilize this as it is an optional security setting. Because of this we highly recommend to always use SSL with your Server.

Step 6

In "Configure URL" select "Enable support for the SAML 2.0 WebSSO protocol" check box and then enter the URL to your project insight instance in the format of "https://[YOUR DOMAIN]" remembering to replace [YOUR DOMAIN] with your instance of PI. Note that the url includes the "l.aspx" this is important to include here.

Step 7

In "Configure Identifiers" again enter the url for your instance of Project Insight in the format "https://[YOUR DOMAIN]". Note that this url does not contain the "l.aspx", this is important to exclude here.

Step 8

Skip the section to "Configure Multi-factor Authentication" and proceed to “Choose Issuance Authorization Rules.” Select “Permit all users to access this relying party."

Step 9

In the “Ready to Add Trust” verify the information and click next.

Step 10

On the "Finish" page you will be prompted to "Open the Edit Claims Rules dialog for this relying party trust when the wizard closes." You may not need to take any further steps in the Edit Claims Rules if you already have default claims rules configured for all relying party trusts in AD.

You have now setup the Trust relationship between Project Insight and your Active Directory Federation Service.

If you still need to a claim rule, see Edit Claim Rules for a Relying Party Trust for an example.

Online 1/25/2017