Implementation
      Back to home
      1. InSpace Knowledge Base
      2. Technical Guides
      3. Implementation

      InSpace SSO setup with ADFS

      To register SSO with Inspace and Microsoft ADFS, please prepare the Microsoft ADFS application and send credentials to the InSpace support team.

      Data needed from InSpace

      For ADFS setup you need the following data from Inspace

      Realm identifier: urn:auth0:dev-mzfu6d84

      Endpoint: https://login.inspace.chat/login/callback

      You need to provide federated metadata to InSpace for SSO setup.

      The Federation Metadata file contains information about the ADFS server's certificates. If the Federation Metadata endpoint (/FederationMetadata/2007-06/FederationMetadata.xml) is enabled in ADFS, Auth0 can periodically (once a day) look for changes in the configuration, like a new signing certificate added to prepare for a rollover. Because of this, enabling the Federation Metadata endpoint is preferred to providing a standalone metadata file. If you provide a standalone metadata file, we will notify you via email when the certificates are close to their expiration date.

      You can provide the ADFS URL or federated metadata file to InSpace. The ADFS URL is preferred because InSpace will connect to the given URL periodically and update the certificates.

      Please also provide a test user so InSpace can test the full sign-in flow. 

      ADFS setup

      There are 2 methods for ADFS setup

      1. Automatic

      2. Manual

      Both ways of setup will be described below.

      Automatic setup

      For automatic setup, you must run the following scripts using the Windows PowerShell window.

       

      You must run this script as an administrator of your system.

       
      (new-object Net.WebClient -property @{Encoding = [Text.Encoding]::UTF8}).DownloadString("https://raw.github.com/auth0/adfs-auth0/master/adfs.ps1") | iex
        
      AddRelyingParty "urn:auth0:dev-mzfu6d84" "https://login.inspace.chat/login/callback"

      For automated integration, this script uses the ADFS PowerShell SnapIn to create and configure a Relying Party that will issue, for the authenticated user, the following claims: email, upn, given name, and surname.

      The script creates the Relying Party Trust on ADFS, as follows:

       
      $realm = "urn:auth0:dev-mzfu6d84"; $webAppEndpoint = "https://login.inspace.chat/login/callback"; Add-PSSnapin Microsoft.Adfs.Powershell Add-ADFSRelyingPartyTrust -Name $realm -Identifier $realm -WSFedEndpoint $webAppEndpoint $rp = Get-ADFSRelyingPartyTrust -Name $realm

      The script also creates rules to output the most common attributes, such as email, UPN, given name, or surname:

        
      $rules = @' @RuleName = "Store: ActiveDirectory -> Mail (ldap attribute: mail), Name (ldap attribute: displayName), Name ID (ldap attribute: userPrincipalName), GivenName (ldap attribute: givenName), Surname (ldap attribute: sn)" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,displayName,userPrincipalName,givenName,sn;{0}", param = c.Value); '@ Set-ADFSRelyingPartyTrust –TargetName $realm -IssuanceTransformRules $rules $rSet = New-ADFSClaimRuleSet –ClaimRule '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");' Set-ADFSRelyingPartyTrust –TargetName $realm –IssuanceAuthorizationRules $rSet.ClaimRulesString

      Manual Setup

      Manual setup part 1: Add a Relying Party Trust

      1. Open the ADFS Management Console.

      2. On the right side of the console, click Add Relying Party Trust*

      3. Click Start.

      4. Select Enter data about the relying party manually, and click Next.

      5. Type a name (such as InSpace), and click Next.

      6. Use the default (ADFS 2.0 profile), and click Next.

      7. Use the default (no encryption certificate), and click Next.

      8. Check Enable support for the WS-Federation..., and type this value in the textbox: https://login.inspace.chat/login/callback

      9. Click Next.

      10. Add a Relying Party Trust identifier with this value: urn:auth0:dev-mzfu6d84

      11. Click Add, and then Next.

      12. Leave the default Permit all users..., and click Next.

      13. Click Next, and then Close

      Manual setup part 2: Add a claim issuance policy rule

      1. If you're using Windows Server 2019, the Edit Claim Issuance Policy dialog box automatically opens when you finish the Add Relying Party Trust wizard. If you're using Windows 2012 or 2016, follow these steps:

       
       

      In Windows Server 2012

       

      In Windows Server 2016

       

      In the Actions panel on the right side of the console, find the Relying Party Trust you just created. Beneath it, click Edit Claim Issuance Policy.

      In the console tree, under ADFS, click Relying Party Trusts. On the right side of the console, find the Relying Party Trust you just created. Right-click it and click Edit Claim Issuance Policy.
       

      1. In the Edit Claim Issuance Policy Window, under Issuance Transform Rules, click Add Rule....

      2. Leave the default

      Send LDAP Attributes as Claims.

      1. Give the rule a name that describes what it does.

      2. Under Attribute Store, select Active Directory.

      3. Select these mappings under


      Mapping of LDAP attributes to outgoing claim types, and click Finish.

        

      LDAP Attribute

       

      Outgoing Claim Type

       

      E-Mail-Addresses

      E-Mail Address

      Display-Name

      Name

      User-Principal-Name

      Name ID

      Given-Name

      Given Name

      Surname

      Surname
       
      Add additional LDAP attributes

      The mappings in the previous steps are the most commonly used, but if you need additional LDAP attributes with information about the user, you can add more claim mappings.

      1. If you closed the window on the previous step, select Edit Claim Rules on the context menu for the Relying Party Trust you created, and edit the rule.

      2. Create an additional row for every LDAP attribute you need, choosing the attribute name in the left column and desired claim type in the right column.

      3. If the claim type you are looking for doesn't exist, you have two options:

      4. Type a namespace-qualified name for the new claim (for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department).

      5. Register a new claim type (under ADFS > Services > Claim Descriptions on the ADFS admin console), and use the claim name in the mapping. Auth0 uses the name part of the claim type (for example department in http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department) as the attribute name for the user profile.