How to set up SAML2 with ADFS

4 minute read time.

There are different methods of Authentication in Sage X3. LDAP, OAuth2 and SAML2 .
For SAML2 , because there are different identity providers having a document for each is not possible, but in this blog I am going to show the steps needed to setup SAML2 authentication with ADFS.
Active Directory Federation Services (ADFS or AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. ( Description from Wikipedia)
If you want to learn more about ADFS visit, https://msdn.microsoft.com/en-us/library/bb897402.aspx

Before we start, it’s important to note the online help file we have for SAML2, so please take a moment and read the online help section for SAML2.




As it’s mentions at the end of online help, For service provider initiated login, the identity provider must allow NameIDFormat urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

So here are the basic steps to use SAML2 with ADFS.
Note that on this blog entry I am not converting the certificate process, that is optional. For what certificates could be used please review the online help, you also need to change Nodelocal.js file in order to see SAMl2 option under user entity.

  1. In Open AD FS management and visit Endpoints and notice the URL path listed for SAML2. (Same URL can be retrieved from AD FS metadata).

  2. In Sage X3, open Administration, Administration, Settings, Authentication, SAML2 Id provider.
  3. Click Create saml2


    .
  4. Enter a name and Display name.
  5. For Authorize URL enter the full URL for your ADFS, SAML2 endpoint.




  6. For Issuer, enter a name. This name needs to be entered on AD FS side later.



  7. For response attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn





  8. For the rest of the fields leave them as is, for now, So the end result would look like below.





  9. Now click on Get metadata button on the right, this will create an XML file that we will use later on , on the ADFS side to easily create a Relying Party Trusts.




  10. Now back to AD FS management. Expands Trust Relationships and right click on Relying party trust, and select Add Relying Party Trust.





  11. Click Start.
  12. Select Import data about the relying party from a file and either browse or enter the path to the metadata file you have exported from X3 and brought to your AD FS server.





  13. Click Next.
  14. For Display name enter the same name you used in the Issuer field in X3. 






  15. Select I do not want to configure multifactor authentication.








  16. Select permit all users to access this relaying party.




  17. Click Next and leave the check box checked, to open the Edit Claim Rules dialog.




  18. Click Close.
  19. In the Edit Claim rule wizard on the first tab click Add rule.





  20. Select “ Send LDAP attributes as Claims”



  21. Enter Claim Rule name and it’s attributes like below screen shot.




  22. Click Ok.
  23. Add a new Rule and select Send Claim rule as a custom rule.



  24. Enter below text for the rule.

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");





  25. Click Ok and OK to end the claim rule wizard.
  26. Now back on X3, Open Administration, User, Users.
  27. Create a new user or select an existing user and change the authentication to SAML.




So after above steps, now when your user opens the address to X3, they can click on SAML2 login.



Then they get prompted to enter the login to ADFS.

After a successful login they get redirected to X3 main landing pages.

Conclusion: You can setup AD FS with SAML2 and use it for authentication for Sage X3.