/
AD FS as a SAML Identity Provider

AD FS as a SAML Identity Provider

Owned by Eleanor Huttenbach (Deactivated)
Last updated: Apr 12, 2018 by Alexey Shipilov (Deactivated)



Skip to end of metadata

Go to start of metadata

Configuring CXO-COCKPIT to use SAML Authentication

Before we start configuring Identity Provider to work with CXO-COCKPIT Service Provider we should first setup SAML authentication settings in CXO-COCKPIT using CXO-COCKPIT Configurator.

When the configuration of CXO-COCKPIT is finished we can add "CXO-COCKPIT" as a service provider to AD FS.

AD FS or Active Directory Federation Services is a way to share secured login information across trusted platforms within your organization. Another great benefit to using AD FS would be that AD FS provides an identity federation solution to companies and organizations that would like to share identify information across many platforms in a more secure way. 

Once you have followed the steps below, you can use your secure credentials to login to CXO as well and when you are finished, you can log off of all trusted sites. 

Step by step tutorial of setting up AD FS Identity Provider to work with CXO-COCKPIT Service Provider

Before going through these steps, make sure you've configured CXO-Cockpit to used SAML as authentication provider (see Configurator → Settings) and that the SAML settings are specified (see Configurator → Maintenance → Authentication settings). 

  1. Open AD FS Management tool



  2. Open Add Relying Party Trust Wizard



  3. Import data about the relaying party published online or on a local network



  4. Choose a Display Name



  5. Choose "do not configure multi-factor authentication"



  6. Choose "Permit all users to access this relying party



  7.  Click Next



  8. Check the checkbox and click Close



  9. Specify the claims which should be sent to the relaying party.
    Note: At least nameidentifier claim has to be sent to the relaying party










Troubleshooting AD FS

All AD FS errors are visible in the event viewer. See print screen below.

Troubleshooting "Unauthorized" Message in the Source System Manager

In some cases the Source System manager login screen shows error 401 or "Unauthorized":


That can happen if the AD FS server is configured to expect Windows credentials in the login request. The Windows credential are not sent automatically if the AD FS server resides in another subnet. To enable bypassing Windows credentials the following line should be added to the Source System Manger configuration file CXO.Cockpit.Administration.exe.config (usually located at c:\Program Files\CXO Solutions\CXO-Cockpit\Design Studio):

<appSettings>
  <add key="SomeSetting" value="some value" />
  <add key="NtmlAuthWhitelist" value="contoso.com" />
  <add key="SomeOtherSettign" value="some other value" />
</appSettings>

where "contoso.com" should be replaced with the AD FS login server name as configured in CXO-Cockpit.

Troubleshooting Logout Issues

If a logout request failed on AD FS you might see screen like the one displayed below:

Open event viewer

If you use rsa-sha1 signature algorithm for signing logout requests you have to adjust secure hash algorithm for the service provider.

See print-screen below for more details



Related pages

Azure Active Directory as SAML Identity Provider
Azure Active Directory as SAML Identity Provider
Documentation
Read with this
MSAD Authentication Plugin
MSAD Authentication Plugin
Documentation
Read with this
CXO Software Change log
CXO Software Change log
Documentation
Read with this