Active Directory Federation Services Configuration

This article provides information on how configure your  Active Directory Federation Services (ADFS) for use with Education Perfect's Single Sign-On (SSO) system.

The steps and screenshots in this article are for Windows Server 2016, but similar steps should be possible on other versions.

Add Relying Party Trust

The first step is to add Education Perfect's SSO server as a Relying Party Trust on your ADFS server. The steps to add this are as follows:

  1. Open AD FS Management from Administrative Tools.
  2. Right-click on Relying Party Trusts and select Add Relying Party Trust. This will open the Add Relying Party Trust Wizard.
  3. On the Welcome screen, select Claims aware, then click Start.
  4. On the Select Data Source screen, selectImport data about the relying party published online or on a local network and enter Education Perfect's metadata URL (https://sso.educationperfect.com/metadata/saml2) in the Federation metadata address text box, then click Next.
  5. On the Specify Display Name screen, enter a display name for the Trust and add any desired notes about the Trust, then click Next.
  6. On the Choose Access Control Policy screen, select the appropriate Access Control Policy for your school, then click Next.
  7. On the Ready to Add Trust screen, the configuration will be loaded from our metadata. Click Next.
  8. Leave the Configure claims issuance policy for this application box ticked and click Close.
  9. The Relying Party Trust will now appear in the list under the Display Name you specified at step 5.

Configure Secure Hash Algorithm

As our service is configured to use SHA-1 as its hashing algorithm, your ADFS server must be configured to do the same. The steps to configure this are as follows:

  1. Open AD FS Management from Administrative Tools.
  2. Select Relying Party Trusts.
  3. Right-click on the entry for Education Perfect and select Properties.
  4. Select the Advanced tab.
  5. Change the Secure Hash Algorithm to SHA-1 and click OK.

Configure Claims Transformation

Education Perfect requires a unique value provided by the ADFS server to be associated with each user in our system. The most common scenario is to provide a unique value stored in Active Directory, such as the user name or email address, as the unique identifier. The following is an example of how to set up Issuance Transform Rules for the Claim Issuance Policy that supplies the user's email address as the unique identifier.

  1. Open AD FS Management from Administrative Tools.
  2. Select Relying Party Trusts.
  3. Right-click on the entry for Education Perfect and select Edit Claim Issuance Policy.
  4. Set up a rule to retrieve the user's email address from Active Directory and send it through as the email address claim.
    1. Click Add Rule, this will open the Add Transform Claim Rule Wizard.
    2. On the  screen, select Send LDAP Attributes as Claims from the Claim rule template list, then click Next.
    3. On the Configure Claim Rule screen:
      1. Enter a name for the rule, such as "Send LDAP Email as Email Claim", in the Claim rule name text box.
      2. Select Active Directory from the Attribute store list.
      3. Under Mapping of LDAP attributes to outgoing claim types, select E-Mail-Addresses from the LDAP Attribute list and E-Mail Address from the Outgoing Claim Type list.
    4. Click Finish. The rule will be added to the policy.
  5. Next, a second rule needs to be set up to use the email address claim as the Name ID.
    1. Click Add Rule, this will open the Add Transform Claim Rule Wizard.
    2. On the Choose Rule Type screen, select Transform an Incoming Claim from the Claim rule template list, then click Next.
    3. On the Configure Claim Rule screen:
      1. Enter a name for the rule, such as "Send Email as Name ID", in the Claim rule name text box.
      2. Select E-Mail Address from the Incoming claim type list.
      3. Select Name ID from the Outgoing claim type list.
      4. Select Persistent Identifier from the Outgoing name ID format list.
      5. Select the Pass through all claim values option.
    4. Click Finish.
  6. Verify that both rules are showing in the list of Issuance Transform Rules in the order in which you created them, then click OK.

Federation Metadata

One of the pieces of information we need to complete the set up on our side is your Federation Metadata. By default the URL for this is https://your-adfs-server.your-domain/FederationMetadata/2007-06/FederationMetadata.xml 

You can either send us the URL or a copy of the XML itself.

Still need help? Contact Us Contact Us