ADFS SSO/SAML Configuration

Help Center
  • Updated
Follow

This article explains how to configure Microsoft's Active Directory Federation Services Single-Sign-On (SSO) with the Foxit Admin Console so that users activate our solutions (Foxit PDF Editor, Foxit Sign... etc.) using your organizations SSO. 

These instructions may vary depending on your environment. If you have specific settings, you may need to check those with your IdP admins as Foxit only supports SSO as it is written in this article. 

Prerequisites:

A. You must have a verified domain in Foxit Admin Console > User ID Management > Directory Setting.

B. A Microsoft Windows Server installed with Microsoft AD FS and the latest operating system updates.

C. The server must be accessible from users' workstations (for example, via HTTPS).

D. Security certificate obtained from the AD FS server.

E. All Active Directory accounts, to be associated with a Foxit Cloud account, must have an email address assigned.

  1. Add Relying Party Trust
  2. Configure Claim Rules

 

1. Add Relying Party Trust

Open AD FS Management, add and configure "Relying Party Trust"

1.1 Click Add Relying Party Trust to open the wizard

1.png

1.2 On the Welcome page, select Claims aware and click Start

2.png

 

1.3 Click Selete Data Source: select Enter data about the relying party manually, click Next

3.png

1.4 Click Specify Display Name: input any Display name (such as sso-cas), click Next

4.png

1.5 Click Configure Certificate: According to the default configuration, click Next

5.png

1.6 Click Configure URL

select "Enable support for the SAML 2.0 WebSSO protocol" and enter the SP Assertion Consumer Service URL provided on the Admin Console page, as shown in the figure below

6.png

1.7 Click Choose Profile: Enter the SP Entity ID provided on the Admin Console page, as shown below

7.png

1.8 Follow the default configuration until it is completed.

2. Configure Claim Rules

2.1 Go back to the Relying Party Trust page, select Relying Party Trust you just added, and click Edit Claim Issuance Policy

8.png

2.2 On the Issuance Transform Rules tab, add email, name id, email-custom items

Note: Please pay attention to the order of "Order", please add in order

email Rule

  • On the Choose Rule Type page, select "Send LDAP Attributes as Claims"
  • On the Configure Claim Rule page, configure according to the following figure

10.png

name id Rule

  • On the Choose Rule Type page, select "Transform an incoming Claim"
  • On the Configure Claim Rule page, configure according to the following figure

11.png

email-custom  Rule

  • On the Choose Rule Type page, select "Send Claims Using a Custom Rule"
  • On the Configure Claim Rule page, configure according to the following figure

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("email"), query = ";mail;{0}", param = c.Value);

12.png

Now you can see that you have added 3 rules.

9.png

Add SAML configuration

mceclip1.png

Download the FederationMetadata.xml file from the link: https://your-adfs-server-url/FederationMetadata/2007-06/FederationMetadata.xml. Note that the link is to download from your AD FS server, not this KB. Go to AD FS Management > Service > Endpoints and make sure the name is the same as /FederationMetadata/2007-06/FederationMetadata.xml.

mceclip0.png

Copy the Identity provider's Entity ID from entityID.

mceclip2.png

Copy the ldentity provider SSO URL from Location.

mceclip3.png

Copy the Public x509 certificate from protocolSupportEnumeration's signing.

mceclip4.png

 

 

 
 

Related articles

Comments

0 comments

Article is closed for comments.