Home
User Guides
Start typing to search…
  1. Manage Observe
  2. Manage users and access
  3. Configure single sign-on

Configure ADFS SSO

Observe supports using Microsoft Active Directory Federation Service (ADFS) using Security Authentication Markup Language (SAML 2.0). Use the following steps to configure SSO for ADFS.

Configure Microsoft ADFS

  1. From the ADFS Management Console, navigate to the Relying Party Trusts page and select Add Relying Party Trust... to start the Add Relying Party Trust Wizard.
  2. Use the default option of Claims aware and click Start.
  3. For the Select Data Source step, choose Enter data bout the relying party manually and click Next.
  4. For Specify Display Name, enter a relevant value such as Observe Inc and click Next.
  5. For Configure Certificate you can skip this step and just click Next.
  6. For Configure URL select the option for Enable support for the SAML 2.0 WebSSO protocol and in the input box for Relying party... add the following URL, substituting your customer ID in place of ${OBSERVE_CUSTOMER_ID} and your region URL in place of ${REGION_URL}. See Observe deployment regions to find your region URL.
https://${OBSERVE_CUSTOMER_ID}.${REGION_URL}/auth/saml2/callback
  1. For Configure Identifiers in the Relying part trust identifier input box, paste the same URL from the previous step:
https://${OBSERVE_CUSTOMER_ID}.${REGION_URL}/auth/saml2/callback
  1. For the remaining steps, you can use whatever settings are appropriate for your organization.

Configure claim issuance policy

In order for Observe to provision and authenticate the AD FS user to Observe, you need to send specific attributes via ADFS claims. To set these up, follow these steps - you will be adding 2 rules.

  1. From the ADFS Management Console, navigate to the Relying Party Trusts page and select Edit Claim Issuance Policy....

  2. Click the Add Rule... button, and for the Choose Rule Type step, select Transform an Incoming Claim.

    • For the Claim rule name input field, fill in NameId.
    • For the Incoming claim type select UPN.
    • For the Outgoing claim type select Name ID
    • For the Outgoing name ID format select Email
    • Select Pass through all claim values

    click Finish.

  3. Click the Add Rule... button, and for the Choose Rule Type step, select Send LDAP Attributes as Claims. Provide a name for your claim rule in the Claim rule name input box. Ensure Active Directory is selected as the Attribute store. You will create three attribute mappings, and then click Finish.

LDAP AttributeOutgoing Claim Type
Given-NameGiven Name
SurnameSurname
E-Mail-AddressesE-Mail Address

Group membership attributes

  1. To send group attributes to Observe, Observe expects the claim to contain an identifier named groups. To add this claim description, navigate to the Claim Descriptions area of the ADFS Console and select Add Claim Description. Set the values for Display name, Short name and Claim identifier are all set to the value groups. Additionally, ensure both checkboxes for Publish this claim are also selected. Click OK to save this.

You now need to add an additional Claim Issuance Policy to send the group membership values to Observe:

  1. From the ADFS Management Console, navigate to the Relying Party Trusts page and select Edit Claim Issuance Policy....

  2. Click the Add Rule... button, and for the Choose Rule Type step, select Send LDAP Attributes as Claims. Provide a name for your claim rule in the Claim rule name input box. Ensure Active Directory is selected as the Attribute store. You will create the following attribute mapping, and then click Finish.

LDAP AttributeOutgoing Claim Type
Token-Groups - Unqualified Namesgroups

Configure Observe

Perform the following steps to configure Observe for ADFS SSO:

  1. In the left navigation rail, hover on your user name, then select Manage account.
  2. Click Customer settings.
  3. Click Add SAML.
  1. In the Entry point field, enter the URL for type SAML 2.0/WS-Federation of your ADFS server. Typically the URL has the suffix /adfs/ls/. For example if your ADFS server is https://adfs.mycompany.com then the Entry point value would be:
https://adfs.mycompany.com/adfs/ls
  1. Open your ADFS X.509 certificate in a text editor and paste the Base64 certificate into the CERT field.
📘

Note

You must export your ADFS certificate in Base-64 encoded X.509 format. Observe currently supports ADFS where the Token-signing and Token-decrypting certificate are the same.

  1. Click Add SAML Provider.

Updated 8 days ago