To integrate Microsoft ADFS with AirMason, you need to be added as a collaborator on the account. If you don’t have access, contact the account owner or admin to grant you the required permissions for IT integration. For instructions on adding a new collaborator, refer to this guide.
Employee Portal URL:
In this article, we'll be referencing this URL at a couple of places. You can figure out what to use there by going to Manage Organization > Employee Portal
If you've custom domain setup on AirMason
- then your Employee Portal URL will be your custom domain (Eg: handbooks.johnsmithweb.com)
- otherwise it will be books.airmason.com/<company-handle>, where <company-handle> is company handle that you've set up. (Eg: books.airmason.com/johnsmith)
Setting up AirMason app on ADFS:
Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.
1.1. In the Select Data Source screen, select the last option, Enter Data About the Party Manually.
1.2. On the next screen, enter a Display Name that you'll recognize in the future, and any notes you want to make.
1.3. On the next screen, select the AD FS FS profile radio button.
1.4. On the next screen, leave the certificate settings at their defaults unless you would like to choose a certificate in which case you'll have to provide your public key later.
1.5. On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://<Employee Portal URL>/ms_adfs/saml2 (replace <Employee Portal URL> with your Employee Portal URL).
1.6. On the next screen, set Relying party trust identifier as https://books.airmason.com
1.7. On the next screen, you can choose to configure multi-factor authentication.
1.8. On the next screen, you can choose who can access this AirMason application.
1.9. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.Creating claim rules:
2.1. To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
2.2. On the next screen, using Active Directory as your attribute store, do the following: (below steps are case sensitive)
- From the LDAP Attribute column, select the field that contains E-mail address. From the Outgoing Claim Type, select email
- From the LDAP Attribute column, select the field that contains employee's first name. From the Outgoing Claim Type, select firstName
- From the LDAP Attribute column, select the field that contains employee's last name. From the Outgoing Claim Type, select lastName
2.3. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
- Select Email-Address as the Incoming Claim Type.
- For Outgoing Claim Type, select Name ID.
- For Outgoing Name ID Format, select Email.
2.4. Leave the rule to the default of Pass through all claim values
2.5. Finally, click OK to create the claim rule, and then OK again to finish creating rules.
Connecting ADFS SSO app to AirMason:
Go to Server Manager > Tools > AD FS Management and do the following:
1.1. Right-click on Service and select Edit Federation Service Properties, and copy Federation Service Identifier
1.2. Go to Service > Certificates from the left panel. Select certificate listed under token-signing and select View Certificate by doing right click. Then go to Details tab. Find the Thumbprint field and click on copy to file. Click next and export this file and then copy its content.Now, login to airmason.com and go to Integrations page
Select Microsoft ADFS app from SSO applications and click on Connect and set the following params:
3.1. Issuer URL as Federation Service Identifier value from Step 1.1.
3.2. Certificate as Thumbprint file value from Step 1.2.
3.3. SAML 2.0 Endpoint as Federation Service Identifier value from Step 1.1 but make the following changes to it:
- Replace "http://" with "https://"
- Replace "adfs/services/trust" with "adfs/ls/idpinitiatedSignOn"
Final URL should look like this: https://your-domain/adfs/ls/idpinitiatedSignOn
- Optional: For setting up auto-selected relying party, add “aspx?logintorp=<application-identifier>” at the end of above URL, so it looks like this: https://your-domain/adfs/ls/idpinitiatedSignOn/aspx?logintorp=https://books.airmason.com (replace <application-identifier> with application identifier you set up while creating relying party trust on ADFS)
Testing ADFS SSO as employee:
Go to your Employee Portal URL. It should show you login page for viewing your handbooks
Click on "Login with Microsoft ADFS"
It should take you to login using ADFS SSO credentials page (if you are not logged in)
Once you log in, it should bring you back to AirMason and you should be able to view handbooks you've access to (similar to what is shown below).