To set up SAML authentication in your account, just follow these steps:
- Extract the public key. View instructions.
- Choose one of the service providers (SAML or ADFS). We don't support any other identity providers.
After completing the above steps, begin the SAML setup in your account.
- In Site Manager, go to Configure > System Settings, then select the Integration tab.
- Navigate to the Sign-in Providers section, then select SAML.
- Enter your Authentication URL. This is the URL of the ADFS or Azure service you direct your users to.
- Enter the public key. The public key is usually a large numerical value that encrypts the data. View instructions to extract the public key.
- Select Validate Key.
- Add a new public key and validate it as early as possible so SAML service SAML service is active. SAML service will be discontinued after the validity of the public key and a new public key is essential to ensure service continuity.
- Enter the Sign In Header Text and Sign In Button Text.
- Select Group Assign. Assign all SAML-authenticated users automatically to one WCM group, then Save.
- Sign out of your account and sign in using SAML.
Additional settings
Navigate to Users and Groups > Settings > User Settings
To avoid conflicts with other automated processes, use caution when using the WCM feature that creates user accounts automatically. This feature is triggered when a SAML assertion doesn't match an existing user in WCM. So be sure to think it through before using this option.
Obtain the public key in text format
Follow these steps to obtain the public key in text format to use the public key for the SAML authentication setup in the Site Manager.
- Open your public certificate.
- Navigate to the Details tab and select Copy to File.
- Select Next in the certificate export wizard.
- Select Base-64 encoded X.509(.CER). and Next.
- Enter the file name to export, and Next.
- Select Finish after the certificate export.
- Open the downloaded file using any application like Notepad.
- The public key is the text between the words BEGIN CERTIFICATE and END CERTIFICATE.
Setup ADFS for SAML authentication
Install the Active Directory Federation Services (ADFS) on Windows server operating systems to allow users for single sign-on access to your systems and applications.
Supported ADFS:
- Microsoft Active Directory Federated Services (ADFS) 2.0
- Microsoft Active Directory Federated Services (ADFS) 3.0
- Microsoft Active Directory Federated Services (ADFS) 4.0
- Microsoft Active Directory Federated Services (ADFS) 5.0
ADFS is a standards-based service that provides secure sharing of identity information between trusted partners (a federation) across an extranet (an intranet that can be accessed by authorized outside users).
When users access a web application from a partner, their organization has to prove their identity by giving some information called "claims" to the partner hosting the web app. The hosting partner then uses their own rules to match these claims with the ones the app understands to decide whether to let the user in.
Configure ADFS
You must configure ADFS before you can set up SAML.
Note: The ADFS setup wizard varies across versions, so you may see the settings in a different order.
- Launch ADFS Management on the ADFS server.
- Under Trust Relationships, select and add Relying Party Trusts.
Under Select Data Source, select Enter data about relying party manually and complete the wizard.
- Choose a Display Name.
- Under Choose Profile, select your version of ADFS (2.0-5.0).
- Under Configure URL, check Enable support for the SAML 2.0
- Type https://www.<WCMDomain>/site/handlers/samlhandler.ashx/ProcessRequest as the Relying party SAML 2.0 SSO service URL.Replace <WCMDomain> with your website. For example, https://www.schoolwires.com/site/handlers/samlhandler.ashx/ProcessRequest.
- Under Choose Issuance Authorization Rules, check Permit all users to access this relying party. To restrict user access, apply the appropriate restrictions using the ADFS documentation.
-
Under the newly-created Relying Party Trust's Properties, enter the following settings.
- In the Relying Party Properties > Endpoints tab, ensure that the binding is POST.
- Set the relying party trust identifier to https://<WCMDomain>.
- On the Advanced tab, set Secure Hash Algorithm to SHA-256.
- On the Signature tab, add the Signature Certificate (.cer)
Manually install and configure ADFS certificates on the server
This process is not applicable if the client has enabled Auto Certificate rollover in ADFS. Please refer to your product documentation if you have other tools to manage this process.
-
Install the newly created certificates in the certificate store.
- In Trusted Root Certification Authorities / certificates - Right click -> All Tasks -> Import the cer certificate
- In Personal / Certificates - Right click -> All Tasks -> Import the pfx certificate
- In AD FS -> Service -> Certificates -> Click Add Token-signing Certificate -> select the certificate added in the certificate store
- In AD FS -> Service -> Certificates -> Click Add Token-decrypting Certificate -> select the certificate added in the certificate store
- Follow Step 2 under the configure ADFS part.
Add Claim rules
- Right-click on the Relying Party Trust you created.
- Select edit claim rule or add rule.
- Select Send LDAP Attributes as Claims.
- Claim Rule Name: Enter an identifiable name consistent with your naming conventions.
- Attribute Store: Select Active Directory.
-
This will populate the drop-down menus with the most commonly used settings. Unless your system has reason to deviate, use these values:
- Map SAM-Account-Name to Outgoing Name ID.
- Map E-Mail-Addresses to Outgoing E-Mail Addresses.
- Map Given-Name to Outgoing Given Name.
- Map Surname to Outgoing Surname.
- These are required fields. If WCM is set to auto-create users and any of these values are missing or blank, auto-creation will fail. If the nameID is blank, auto-creation will fail.
Metadata URL
Our deployment of SAML for your WCM does not use metadata. These instructions above contain all the relevant information that would be conveyed via metadata.
After setting up trust between your identity provider, WCM, and encrypting those communications, set up a claim rule (see instructions above) to instruct ADFS what user attributes to send.
Setup Azure for SAML authentication
In Azure, navigate to the enterprise application, select single sign-on, then edit the basic SAML configuration.
-
Navigate to Identifier
- Select Add Identifier.
- Enter “https://www.{{YourDomain}}”
- Select the default checkbox to set this as the default URL.
-
Navigate to Reply URL
- Select Add Reply URL.
- Enter “https://www.{{YourDomain}}/site/handlers/samlhandler.ashx/ProcessRequest”
- Select the default checkbox to set this as the default URL.
-
Navigate to Sign on URL
- Delete the sign-on URL text, and enter “https://www.{{YourDomain}}/site/SAMLLogin.aspx?IgnoreRedirect=true”
- Select Save.
Add Claim rules
- In the enterprise application, select Set up Single Sign-On with SAML
- Edit the second item “Attribute & claims”
- Create four claim rules: NameID, emailaddress, givenname, surname
-
NameID is your username, the part of your email before the "@" symbol. But if you want a different username, choose a field that works for your organization.
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
- Name identifier format: Email address
- Select transformation in the Source field.
- Select the pencil icon next to the Transformation field to edit. Then, in the Manage transformation settings, enter the transformation as ExtractMailPrefix(), set Parameter 1 as Attribute, and enter the attribute name as user.userprincipalname
- Select Add transformation
- To create user accounts automatically, you need to include all the claims mentioned in the image below. Most of these claims don't require any changes. But you must provide information for all the claims, and none of them should be left blank.