UNItekTIME supports single sign-on (SSO) logins through SAML 2.0/W-Federation if you’re on the Professional or Enterprise plans. A SAML 2.0/W-Federation identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
To use ADFS to log in to your UNItekTIME instance, you need the following components:
- An Active Directory instance where all users have an email address attribute.
- A UNItekTIME instance with Hosted plans.
- A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012 R2, but similar steps should be possible on other versions.
- A SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
- If you’re using host mapping in your UNItekTIME instance, an installed certificate for hosted SSL.
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article
When you have a fully installed ADFS installation, note down the value for the ‘SAML 2.0/W-Federation’ URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be ‘/adfs/ls/’.
Step 1 – Adding a Relying Party Trust
At this point you should be ready to set up the ADFS connection with your UNItekTIME instance. The connection between ADFS and UNItekTIME is defined using a Relying Party Trust (RPT).
Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.
- In the Select Data Source screen, select the last option, Enter Data About the Party Manually.
- On the next screen, enter a Display name that you’ll recognize in the future, and any notes you want to make.
- On the next screen, select the ADFS FS profile radio button.
- On the next screen, leave the certificate settings at their defaults.
- On the next screen, check the box labeled Enable Support for the WS-Federation Passive Protocol. The service URL will be https://*subdomain*.unitektime.com/, replacing [subdomain] with your UNItekTIME’s subdomain. Note that there’s no trailing slash at the end of the URL.
- On the next screen, add a Relying party trust identifier of subdomain.unitektime.com, replacing subdomain with your UNItekTIME subdomain.
- On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.
- On the next screen, select the Permit all users to access this relying party radio button.
- On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.
Step 2 – Creating claim rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren’t set by the wizard. By default the claim rule editor opens once you created the trust. If you want to map additional values beyond authentication
- To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
- On the next screen, using Active Directoryas your attribute store, do the following:
- In 1st row, under the LDAP Attribute column and Outgoing Claim Type, select E-Mail Addresses from Drop-down list.
- In 2nd row, select Given-Name from Drop-down list.
- In 3rd row, select Surname from Drop-down list.
- Click on Finish to save the new rule.
You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected.
In the Advanced tab, switch from SHA-1 to SHA-256 and click OK.
Step 3 – Configuring User settings with LDAP
In Active Directory, User attributes should be identical to LDAP Attributes,
- First Name is Given-Name (Mandatory)
- Last Name is Surname (Mandatory)
- Email is E-mail-Address (Mandatory)
Step 4 – Configuring UNItekTIME
After setting up ADFS, you need to configure your UNItekTIME instance to authenticate using SAML. You’ll use your full ADFS server URL with the SAML endpoint as the SSO URL, and the login endpoint you created as the logout URL.
After you’re done, the Security page in the UNItekTIME admin interface (Admin Options > Preferences > Security) should look like this:
You need to provide SAML SSO URL Here. You should now have a working ADFS SSO implementation for your UNItekTIME.