Adding a new relying party trust
The connection between ADFS and the Validis portal is defined using a relying party trust.
Log in to the server where ADFS is installed.
Launch the ADFS Management application (Start > Administrative Tools > ADFS Management) and select the Trust Relationships > Relying Party Trusts node.
Click Add Relying Party Trust from the Actions sidebar.
Click Start on the Add Relying Party Trust wizard.
On the Select Data Source screen, click Enter data about the relying party manually and click Next.
Provide information for each screen in the Add Relying Party Trust wizard:
-
- On the Specify Display Name screen, enter a Display name of your choosing and any notes (e.g. DataShare SSO), select ADFS profile, and then click Next.
- Skip the Configure Certificate screen by clicking Next.
- On the Configure URL, select the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The URL will be https://customerdomain.environment.validis.com, replacing customerdomain with your domain name and environment with your domains’s environment (UK, US, CA, etc). Note that there's no trailing slash at the end of the URL.
- On the Configure Identifiers screen, enter the Relying party trust identifier. This is your customer URL. The URL will be https://customerdomain.validis.com, click Next.
- Skip the Configure Multi-factor Authentication screen (unless you want to configure this) by clicking Next.
- Skip the Choose Issuance Authorization Rules screen by clicking Next.
- On the Ready to Add Trust screen, review your settings and then click Next.
- On the final screen, make sure the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox is selected and click Finish. This opens the claim rule editor.
Creating claim rules
After you create the relying party trust, you can create the claim rules and make minor changes that aren't set by the wizard.
If the claim rules editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.
In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.
Create the following rule:
- LDAP Attribute: E-Mail-Addresses
- Outgoing Claim Type: E-Mail Address
- Enter a descriptive rule name
- Attribute Store: Active Directory (This may be different based on who your users are mapped)
Click OK.
Repeat the first two steps above to add another rule
Create the following rule:
- LDAP Attribute: E-Mail-Addresses
- Outgoing Claim Type: Name ID
- Enter a descriptive rule name
- Attribute Store: Active Directory
Adjusting the settings
You still need to adjust a few settings on your relying party trust.
In the Relying Party Trusts list, double-click the relying party object that you created (or select Actions > Properties while you have the Relying Party Trust selected).
On the Advanced tab, change the Secure hash algorithm to SHA-256.
On the Endpoints tab, click on add SAML to add a new endpoint:
- For the Endpoint type, select SAML Assertion Consumer.
- For the Binding, choose POST.
- For the Trusted URL: https://customerdomain.validis.com/oauth/saml20 (replace customerdomain with your domain)
Click OK twice. You should now have a working relying party trust for the DataShare portal. Please try signing into your DataShare portal to verify SSO is functioning properly.