Before you begin
Before setting up your new ADFS configuration, you'll want to work with your IT staff on the following:
- Your IT staff must add Springshare as an authorized service provider using the appropriate Entity ID for your region, unless your site automatically adds InCommon service providers (see the InCommon Federation Technical Guide for more info). When setting up an ADFS configuration, you will find a link to the Entity ID at the top of the Configuration tab.
- Need help preparing ADFS to work with LibAuth? For more detailed instructions about adding Springshare as an authorized service provider and setting up claim rules, see How do I setup ADFS to communicate with LibAuth?
- Obtain the URL to your SAML Metadata XML file from your IT staff.
- You can find the necessary attributes in the Adding a new ADFS configuration in LibAuth section, below.
- Please note that the attribute format for First Name, Last Name, and Email looks like a URL: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, etc.
- If you want to set up group permissions, you'll need to know the names of certain attributes (such as status or department), along with their possible values.
- For example, if you have an attribute for "Department", you'll want to know the names of the departments that you can pick from.
- This will allow you to create group permissions so you can restrict access to things by department.
How do I set up ADFS to communicate with LibAuth?
If you're unsure how to set up your ADFS to work with LibAuth, the steps below can help you and your IT staff get started.
Step 1. Add Relying Party Trust
If your site does not automatically add InCommon service providers, you can add Springshare as an authorized service provider by doing the following:
- Log into the ADFS server and open the management console.
- Go to ADFS Management > Relying Party Trusts > New Relying Party Trust to launch the Wizard. Click Start.
- Click Data Source, and choose "Import data about the relying party published online or on a local network." Paste the LibAuth EntityID URL for your region in the URL field, then click Next.
- If prompted for a Display Name, enter "LibAuth" or whatever you'd like to call their connection to LibAuth.
- Under Choose Profile, you'll want to choose the first option (AD FS profile), unless you know for sure that the second option is what you need.
- Do not change anything in the Configure Certificate pane.
- On the Configure URL pane, choose the option for "Enable support for the SAML 2.0 Web/SSO protocol," and enter the LibAuth EntityID URL for your region.
- Under Configure Identifier, click Add and paste in the EntityID URL. This must be the fully-qualified URL with the protocol (https://).
- Configuring Multi-factor Authentication is not currently supported by LibAuth. Proceed to Step 8.
- In the Issuance Authorization Rules pane, choose "Permit all users..."
- The next screen or two are confirmation screens that show the information that has been entered/received. Please take a moment to verify that all the settings are correct here.
- Make sure that the "Open Edit Claim Rules..." checkbox is checked, and click Finish.
Step 2. Add claim rules
- To get started, click the Add Rule button to launch the Add Transform Claim Rule Wizard.
- On the next screen, select "Send LDAP Attributes as Claims" and click Next.
- On the next screen, name your rule "LDAP Email," and choose the following:
- Attribute Store = Active Directory
- Choose E-Mail Addresses from the "LDAP Attribute (select or type to add more)" menu
- Choose Transient Identifier from the Outgoing Claim Type menu. (If Transient isn't an option, then you set that value in the next step, and just leave this as Email)
- Click "Add Rule..." again, this time choosing "Transform an Incoming Claim" and then:
- Choose "Email Address" as the Incoming Claim type.
- Choose NameID as the outgoing claim type.
- Choose Transient Identifier as the Outgoing NameID format.
- Click OK to save this rule.
- Click OK to finish creating rules.
Step 3. A few finishing touches
- With your new Relying Party Trust (RPT) selected, choose Properties from the Actions sidebar.
- On the Advanced tab, choose SHA-256.
- In the Endpoints tab, click on add SAML to add a new endpoint.
- Select SAML logout for the endpoint type.
- Determining the logout URL for this field is beyond the scope of this FAQ. Paste your URL in the red outlined box below.
- Click OK in the open prompts to save your changes. You're now ready to set up LibAuth!
Navigating to your LibAuth settings
LibApps Admin users can create and manage LibAuth configurations by going to LibApps > Admin > LibAuth Authentication.
From the Admin > LibAuth Authentication page:
- If you have not yet created a LibAuth configuration, skip to Step 2. Otherwise, click on the Add Configuration button to create another one.
- Below the Search for Your Institution dropdown, click on the Manual Configuration link.
- Select SAML/Shibboleth/ADFS as your authentication protocol.
- Configure your server information & parameters.
- Select "No" for the InCommon membership option.
- Select "No" for the UK Federation membership option.
- Enter the URL to your SAML metadata XML file.
- Leave the Shibboleth 2.x logout URL field blank.
- Use the following ADFS attributes in your LibAuth configuration settings (enter the entire URLs, though please note these URLs are not to actual webpages and will not resolve if you visit them in a browser):
- Give your configuration a name.
- If you'd like, you can also provide notes or details about this configuration for your reference.
- Click the Save Configuration button.