Xoxoday supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IdP) rather than obtaining and using a separate username and password handled by Xoxoday.
Under the SSO setup, Xoxoday can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.
What you will need, is a ADFS 2.0 Identity Provider (IdP) which will handle the sign-in process and will eventually provide identity confirmation to Xoxoday. Xoxoday users authenticated through your ADFS 2.0 IdP are handled from client IdP. Xoxoday does not store passwords.
STEP 1. ADFS 2.0 CONFIGURATION
Open the ADFS 2.0 Management through Start→Administrative Tools→ADFS 2.0 Management.
We need IDP metadata XML file. To get the location of this metadata file (the FederationMetadata.xml file) on your ADFS server open the ADFS Management console, expand Service and select the Endpoints node. The Metadata section shows us that the FederationMetadata.xml file is located at /FederationMetadata/2007-06/FederationMetadata.xml.
This is the same location for all ADFS services.
Open a browser and navigate to the FederationMetadata.xml location: https://fs.transishun.co.uk/FederationMetadata/2007-06/FederationMetadata.xml where you’ll be prompted to save the file to disk. This needs to be uploaded in our Empuls portal (steps mentioned below).
STEP 2. ADFS 2.0 RELYING PARTY TRUST CONFIGURATION
At this step you are going to define the Xoxoday endpoints in your ADFS. You can do this manually or you can import the metadata XML provided by Xoxoday.
Now move on to Empuls User Authentication Admin setting and select Custom Login
Please copy the following details from your Empuls account. You can even upload the service provider metadata .xml (empuls-sp-metadata.xml) file to your identity platform - which can be downloaded by clicking on "Download SP Metadata".
Select Relying Party Trusts from the left tree-view under the Trust Relationships,right-click on the Relying Party Trusts and click on Add Relaying party Trust. The wizard launches.
Click on Start and Choose Import data about the relying party from a file. Click on Browse and locate the Metadata XML file (empuls-sp-metadata.xml) of your Xoxoday domain downloaded from the previous steps.
Click on Next, ignore the pop-up message and type a distinctive Display Name (eg. Xoxoday) and click Next.
Select Permit all users to access the relying party and click Next to Finish.
On the center Column right-click on the relying part you’ve just created (eg Xoxoday) and the select Properties.
On the Advanced Tab select SHA-256 for the Secure hash algorithm and click on OK.
STEP 3. ADFS 2.0 CLAIM RULES CONFIGURATION
In order to configure a proper communication between your ADFS and Xoxoday, you should define the Claim Rules.
On the centre Column right-click on the relying part you’ve just created (eg Xoxoday) and then select Edit Claim Rules.
On the Issuance Transform Rules Tab click on Add Rules. The wizard launches.
Add a Rule. Select Transform an Incoming Claim and click on Next.
Select Send LDAP Attribute as Claims and click on Next
Define the Claim rule name (eg. Get LDAP Attributes) and select Active Directory in Attribute Store. In the Mapping of LDAP attributes to outgoing claim type select the following:
LDAP Attribute: E-Mail-Addresses, Outgoing Claim Type: E-mail-Address
LDAP Attribute: Employee id, Outgoing Claim Type: Employee id
and then click on Finish
Add a second Rule following the same procedure. Select Transform an Incoming
Claim and click on Next
Define the Claim rule name (eg. Email to Name ID) and set Incoming claim Type as E-Mail Address (the same one from the previous rule), Outgoing claim type as Name ID and Outgoing name ID format as Email. Then click on Finish. Have in mind that the email should be defined in all user to achieve a proper communication between your ADFS and Xoxoday.
STEP 4. Empuls SAML 2.0 Configuration
Upload the IDP metadata XML file (FederationMetadata.xml) on the second step of "Setup SAML integration" page.
Finally, go to Test Connection to ensure single sign on is enabled and working.
