All Collections
For Admins | Apps, Integrations & Payment Gateways
Other
How is single sign-on enabled via ADFS?
How is single sign-on enabled via ADFS?

As an admin, learn how to set up single-sign on portals for your users with ADFS

Sarah L. avatar
Written by Sarah L.
Updated over a week ago

Currently, we support SSO using SAML 2.0 by integrating with ADFS. These instructions are for ADFS 3.0 (Windows Server 2012 R2) and assume that you have received the replying party trust XML file from Optix for import.

Note: A White-Label App is required to enable SSO for your organization. If you are interested in having SSO enabled for your instance of Optix, please get in touch with our support team.

Relying Party Trust Setup

  1. On the primary server of your ADFS farm, open the ADFS Management snap-in

  2. Locate the Relying Party Trusts folder under the Trust Relationships folder. Right click and choose Add Relying Party Trust...

  3. Click Start to begin the wizard

  4. Select the Import data about the relying party from a file radio button and then click Browse... to locate the path where you saved the Optix relying party XML file. Click Next to continue

  5. Input a name for the Relying Party Trust in the Display name field. Click Next to continue

  6. Next, you can configure Multi-Factor Authentication, such as the use of a certificate, token, phone call, or text, as a second factor beyond email and password (optional). Click Next to continue

  7. Select Permit all users to access this relying party and click Next to continue

  8. Review the settings and click Next to complete the setup

  9. Click the checkbox next to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close to complete the wizard

Claim Rules Setup

Now that the Relying Party Trust for Optix has been created, in order to post the necessary data back to Optix, you must create three claim rules. The Claims Rules Editor should have opened automatically.

  1. In the Issuance Transform Rules tab, select Add Rule...

  2. Select Send LDAP Attributes as Claims from the 'Claim rule template' dropdown. Click Next to continue

  3. Fill out the values as specified below:

    Enter a name for the claim rule in the 'Claim rule name' field
    Choose Active Directory from the 'Attribute store' dropdown
    Select E-Mail-Addresses from the 'LDAP Attribute' dropdown
    Select E-Mail Address from the 'Outgoing Claim Type' dropdown

  4. Click Finish to create the first claim

  5. Select Add Rule to begin the process for the second claim

  6. Choose Transform an Incoming Claim from the 'Claim rule template' dropdown. Click Next to continue

  7. Fill out the values as specified below:

    Enter a name for the claim rule in the 'Claim rule name' field
    Choose E-Mail Address from the 'Incoming claim type' dropdown menu
    Choose Name ID from the 'Outgoing claim type' dropdown menu
    Chose Email from the 'Outgoing name ID format' dropdown menu
    Check the circle next to 'Pass through all claim values'

  8. Click Finish to create the second claim

  9. Select Add Rule to begin the process for the third claim

  10. Fill out the values as specified below:

  11. Enter a name for the claim rule in the 'Claim rule name' field
    Select Active Directory from the 'Attribute store' dropdown menu
    Select E-Mail-Addresses from the first 'LDAP Attribute' field's dropdown menu

    Type Email in the first 'Outgoing Claim Type' field
    Select Given-Name from the second 'LDAP Attribute' field's dropdown menu
    Type FirstName in the second 'Outgoing Claim Type' field
    Select Surname from the third 'LDAP Attribute' field's dropdown menu
    Type LastName in the third 'Outgoing Claim Type' field

  12. Click Finish to create the third claim

  13. The Issuance Transform Rules should appear. Click OK to finish the process

Need more info on Apps, Integrations & Payment Gateways?

Take a look at this quick guide to dive deeper.
Did this answer your question?