This document is to help verify the ADFS settings and the corresponding UpKeep settings after the wizard has completed.
Please see Setup SSO using ADFS for Upkeep for the initial setup process.
A. Relying Party Trust Settings
1 - Sign in to the server where ADFS is installed
2 - Open the ADFS management console and select Trust Relationships, then Relying Party Trusts in the left console tree.
3 - Right click on the UpKeep Relying Party Trust and choose Properties.
4 - Monitoring: Monitoring should be empty.
5 - Identifiers
Relying party identifiers: http://app.onupkeep.com
6 - Encryption: Should be empty
7 - Signature: Should be empty.
8 - Accepted Claims: Should be empty.
9 - Organization: Should be empty
10 - Endpoints
There should be 2 Endpoints here, one with Index 0 and one with Index 1. Select Endpoint with the Index 0 and click Edit.
Set the trusted URL as default: Unchecked
Trusted URL: This URL will come from your UpKeep SAML Authentication settings page.
Click OK to return the Endpoints listing. Select Endpoint with Index 1 and click Edit.
The setting will be the same as the first Endpoint except for the Index and Trusted URL.
Trusted URL: https://api.onupkeep.com/auth/saml/acs/
Click OK to return to the Endpoints listing.
1 1- Proxy Endpoints: Should be empty.
12 - Notes: Should be empty
13 - Advanced: Ensure SHA-256 is selected
From the main ADFS console window under the Relying Party Trusts window, Right-Click on the UpKeep Relying Party Trust and select Edit Access Control Policy.
Ensure Permit everyone is selected.
Click ok to return.
B. Transform Claim Rules Setup
Setting up a Transform Claim Rule is optional and won’t prevent the functionality of your SSO setup but it is recommended to facilitate the transfer of Active Directory attributes to UpKeep.
1 - From the main ADFS console window under the Relying Party Trusts window, Right-Click on the UpKeep Relying Party Trust and select Edit Claims Issuance Policy
2 - You see two Issuance Transform Rules such as below. Highlight the first rules and click Edit Rule
3 - E-Mail rule should match as below
Claim Rule Name: E-mail
Attribute Store: Active Directory
LDAP Attribute: E-Mail-Addresses
Outgoing Claim Type: E-Mail Address
Click OK to return to the rules listing.
4 - Highlight the second rule. Click Edit Rule.
Claim rule name: NameID
Incoming claim type: E-mail Address or UPN (if UPN is in email format)
Outgoing claim type: Name ID
Outgoing name ID format: Email
Select Pass through all claim values
Click OK to return.
C. UpKeep SAML Settings
1 - Sign in to your UpKeep administration page (https://app.onupkeep.com. Click Settings in the bottom left corner.
Select Authentication. Select Custom SAML 2.0, Configure.
2 - You will see the following screen. Let’s deal with each section individually.
- Unique Company Identifier: Enter an identifier that is unique to your company. This is case-sensitive.
Note: If you change this it will change your SSO Post Back URL (which is needed in Section A, Step 10)
- SSO Post Back URL (Assertion Consumer Service URL)
This unique URL is used to connect to your on premise ADFS. This URL is needed in section A, Step 10 above.
- SAML 2.0 Endpoint and Identity Provider Issuer
SAML 2.0 Endpoint is the amalgamation of your main ADFS URL (eg https://adfs.yourcompany.com) with the URL path of your SAML 2.0 Endpoint found in your ADFS management console. (The default should be /adfs/ls)
Merging the main URL with the SAML 2.0 URL Path above would produce:
Identity Provider Issuer
From the ADFS management console, highlight Service in the navigation tree, right-click on Service, click Edit Federation Service Properties.
Enter the Federation Service identifier in the Identity Provider Issuer field.
- Public certificate
This certificate is token signing certificate from the ADFS management console.
Browse to AD FS -> Service -> Certificates. Highlight the Token-signing certificate. Right-click, View Certificate.
Click the Details tab, Copy to File.
Export the certificate as Base-64 encoded X.509 (.CER).
Paste the contents of this CER file (text file) into the public certificate field.