Configuring SSO with Active Directory Federation Services
Instructions for configuring single sign-on (SSO) with Active Directory Federation Services (AD FS) as an identity provider.
Prerequisites
Before you start, do the following:
- Submit a ticket to SAP LeanIX Support to request setting up SSO for your organization. If you're an SAP customer, submit a request from the SAP for Me portal.
- Learn about the SSO configuration process in SSO Configuration Process.
Configuring SSO
You can configure SSO for SAP LeanIX through a self-hosted Active Directory Federation Services (AD FS) server. AD FS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
The SAP LeanIX SAML service provider is based on Shibboleth. To learn how to set up AD FS SAML federation with Shibboleth, please refer to the Microsoft documentation.
Usually, the AD FS metadata information is available at the following URL:
https://<IDP-URL>/FederationMetadata/2007-06/FederationMetadata.xml
Configuring Attribute Mapping
To learn how to configure attribute mapping, see Attribute Mapping.
When using AD FS for SSO, you can pass values in addition to the authentication values. These values are defined as Claim Rules in the Relying Party Trust. To edit Claim Rules, select the Relying Party Trusts folder in AD FS Management, then select Edit Claim Rules in the Actions sidebar.
You should also configure custom claim rules. Please see example claim rules below.
@RuleName = "Get tokenGroups"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://claims.contoso.com/tokenGroups"), query = ";tokenGroups;{0}", param = c.Value);
@RuleName = "Add Given-Name from AD"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";givenName;{0}", param = c.Value);
@RuleName = "Add Surname from AD"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";sn;{0}", param = c.Value);
@RuleName = "Add UPN from AD"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://claims.contoso.com/ADupn"), query = ";userPrincipalName;{0}", param = c.Value);
@RuleName = "Add E-Mail-Address from AD"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
@RuleName = "Send Given-Name as firstname"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]
=> issue(Type = "firstname", Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send Surname as lastname"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
=> issue(Type = "lastname", Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send ADUPN as uid"
c:[Type == "http://claims.contoso.com/ADupn"]
=> issue(Type = "uid", Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send E-Mail-Address as mail"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "mail", Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send role ADMIN"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value == "EAM-ADMIN"])
=> issue(Type = "role", Value = "ADMIN", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send role MEMBER"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value =~ "^EAM-MEMBER*"])
=> issue(Type = "role", Value = "MEMBER", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send customerRoles MEMBER_CUSTOMERROLE1"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value == "EAM-MEMBER-CUSTOMERROLE1"])
=> issue(Type = "customerRoles", Value = "MEMBER_CUSTOMERROLE1", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send customerRoles MEMBER_CUSTOMERROLE2"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value == "EAM-MEMBER-CUSTOMERROLE2"])
=> issue(Type = "customerRoles", Value = "MEMBER_CUSTOMERROLE2", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send customerRoles MEMBER_CUSTOMERROLE3"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value == "EAM-MEMBER-CUSTOMERROLE3"])
=> issue(Type = "customerRoles", Value = "MEMBER_CUSTOMERROLE3", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send role VIEWER"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value =~ "^EAM-VIEWER*"])
=> issue(Type = "role", Value = "VIEWER", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send customerRoles VIEWER_CUSTOMERROLE1"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value == "EAM-VIEWER-CUSTOMERROLE1"])
=> issue(Type = "customerRoles", Value = "VIEWER_CUSTOMERROLE1", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send customerRoles VIEWER_CUSTOMERROLE2"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value == "EAM-VIEWER-CUSTOMERROLE2"])
=> issue(Type = "customerRoles", Value = "VIEWER_CUSTOMERROLE2", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Send customerRoles VIEWER_CUSTOMERROLE3"
EXISTS([Type == "http://claims.contoso.com/tokenGroups", Value == "EAM-VIEWER-CUSTOMERROLE3"])
=> issue(Type = "customerRoles", Value = "VIEWER_CUSTOMERROLE3", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
Updated 8 days ago