ADFS
    • 07 Jun 2022
    • PDF

    ADFS

    • PDF

    Article summary

    The ADFS integration allows you to sync SysAid with your ADFS account so you can automatically log in to SysAid whenever you log in to ADFS.

    Requirements

    For the integration to work properly, the ADFS server must be properly running on your system in addition to Windows Server 2012 R2 or above ,and SysAid version 15.2.01 or above. Also, both the ADFS server and SysAid server require valid SSL certificates.

    Note

    You cannot activate this integration if another single-sign on integration has already been enabled for SysAid.

    Set up ADFS integration in SysAid

    The first step to enabling your ADFS integration is configuring certain parameters from SysAid's ADFS integration page. Speak to your account manager to ensure that ADFS is added to your available integrations.

    Note

    Only an admin with SysAid Administrator permissions can set up this integration.

    To configure ADFS parameters in SysAid

    1. Navigate to Settings > Integrations > Third-Party Integrations.
    2. Click the IntegrationADFSfilesCogWheel.jpg
      on the ADFS icon.
      IntegrationADFSfilesIntegrationIcon.jpg
    3. In the ADFS Callback URL field, replace the text "MyAccount" with your SysAid account name.
    4. In the ADFS IDP Login URL field, replace the text "MyAccount.MyADFS.com" with the host name of your ADFS server.
      IntegrationADFSfilesADFSIntegrationPage.jpg

    Configure your ADFS 2016 account for integration with SysAid

    Once you have set up the configuration in SysAid, there are multiple processes you must perform to properly set up the SysAid integration.

    If you are using ADFS 2012, see the configuration instructions below.

    Add Relying Party Trust

    The first process from within ADFS is adding a relying party trust to the ADFS configuration database.

    To add a relying party trust

    1. Open ADFS.
    2. In the folder pane, navigate toADFS and right-click the Relying Party Trusts folder.
    3. From the Right-Click menu, select Add Relying Party Trust.
    4. On the first page of the Add Relying Party Trust Wizard, select Claims aware.
    5. Click Start.
      IntegrationADFSfiles20161.png
    6. In the Select Data Source screen, select the Enter data about the relying party manually option.
    7. Click Next.
      IntegrationADFSfiles20162.png
    8. In the Specify Display Name screen, enter a display name.
    9. Click Next.
      IntegrationADFSfiles20163.png
    10. In the Configure Certificate screen, click Next.
    11. In the Configure URL screen, select the Enable support for the SAML 2.0 WebSSO protocol check box.
    12. Copy the callback URL that you set in the SysAid ADFS Configuration screen in step 3 of the section above and paste it into the Relying Party SAML 2.0 SSO Service URL field.
    13. Click Next.
      IntegrationADFSfiles20165.png
    14. In the Configure Identifiers screen, copy the ADFS Issuer Token from the SysAid ADFS configuration screen to the Relying Party Trust Identifier field.
    15. Click Add.
    16. Click Next.
      IntegrationADFSfiles20166.png
    17. In the Choose Access Control Policy screen, select Permit Everyone.
    18. Click Next.
      IntegrationADFSfiles20167.png
    19. In the Ready to Add Trust screen, click Next.
    20. In the Finish screen, click Close.
    21. In the Edit Claim Rules for SysAid Login dialog that opens on your screen, click Add Rule.
      IntegrationADFSfiles201610.png
    22. In the Choose Rule Type screen, from the Claim Rule Template drop-down, select Send LDAP Attributes as Claims.
    23. Click Next.
      IntegrationADFSfiles201611.png
    24. In the Configure Claim Rule screen, enter a claim rule name in the Claim Rule Name field.
    25. From the Attribute Store drop-down, select Active Directory.
    26. Build map of LDAP attributes (see screenshot below).
    27. Click Finish.
      IntegrationADFSfiles201612.png

    Create a new claim rule

    1. Back in the Edit Claim Rules for SysAid Login dialog, click Add Rule.
      IntegrationADFSfiles201613.png
    2. In the Choose Rule Type screen, from the Claim Rule Template drop-down, select Transform an Incoming Claim.
    3. Click Next.
      IntegrationADFSfiles201614.png
    4. In the Edit Rule - NameID window, enter a rule name in the Claim Rule Name field.
    5. From the Incoming Claim Type drop-down, select UPN.
    6. From the Outgoing Claim Type drop-down, select Name ID.
    7. From the Outgoing Name ID Format drop-down, select UPN.
    8. Ensure that the Pass through all claim values option is selected.
    9. Click OK.
      IntegrationADFSfilesEditRule.png

    Add ADFS thumbprint to the SysAid ADFS Configuration screen

    Now that you have set up the configuration on the ADFS side, you need to retrieve the ADFS thumbprint parameter and add it to the SysAid ADFS Configuration screen.

    1. On the Main ADFS screen, select the Service > Certificates folder.
    2. Click the Token-signing file.
    3. In the Certificate dialog, select the Details tab.
    4. In the field column, click Thumbprint.
    5. Copy the Thumbprint text.
    6. Click OK.
      IntegrationADFSfiles201616.png
    7. In SysAid, in the ADFS Configuration screen, paste the copied text into the ADFS Certificate Thumbprint field.
    8. Click the Activate Integration slider.
    9. (Optional) If you want SysAid to create new users with their ADFS IDs, Enter "Y" in the Create New Users field.
    10. (Optional) If you selected to allow SysAid to create new users with their ADFS IDs, you can replace the ADFS domain with any name you want in the Domain Mapping field. For example, "MyDomain= MyCompany.com, MyDomain2= MyCompany.com". If you want user names to contain the ADFS domain, leave this field blank.
    11. Click Save Changes.
      IntegrationADFSfilesADFSIntegrationPageThumb.jpg

    Configure your browser

    Once SysAid is integrated with ADFS, you need to configure your browser to allow for SSO (Single Sign On). This requires one procedure if you are running a SysAid in Internet Explorer and a separate procedure if you are running SysAid in Chrome or FireFox. You can perform one or both procedures depending on your company's requirements.

    To configure ADFS SSO for Internet Explorer or Microsoft Edge

    1. From your Windows Control Panel, select Internet Options.
    2. In the Security tab, click Local intranet.
    3. Click Sites.
      IntegrationADFSfilesInternetOptions.jpg
    4. In the Local intranet, click Advanced.
    5. Add the first part of the URL you entered in the ADFS IDP Login URL field in SysAid's ADFS Configuration screen that ends in ".com".
    6. Click Add.
      IntegrationADFSfilesLocalIntranet2.jpg
    7. Click Close.
    8. In the Local intranet window, click OK.
    9. In the Internet Options window, click OK.

    To configure ADFS SSO for Chrome and FireFox

    If the ADFS integration is not working in Chrome or FireFox, open the Powershell command prompt on the ADFS server as an administrator and run the following commands:

    # Add Chrome as a valid User Agent for NTLM authentication Set-ADFSProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select-Object -ExpandProperty WIASupportedUserAgents) + "Mozilla/5.0")

    # Disable Extended Protection in ADFS 3.0 Set-ADFSProperties –ExtendedProtectionTokenCheck None

    This completes the SysAid ADFS integration !
    When you access your SysAid login screen, you are routed to the ADFS login screen. If you are logged into ADFS, you are automatically logged in to SysAid.

    If you need to manually log in to SysAid to fix your ADFS configuration, use the following URL: "<SYSAID URL>/Login.jsp?manual=true".

    For further assistance, please contact SysAid Support.

    Configure your ADFS 2012 account for integration with SysAid

    Once you have set up the configuration in SysAid, there are multiple processes you must perform to properly set up the SysAid integration.

    Add Relying Party Trust

    The first process from within ADFS is adding a relying party trust to the ADFS configuration database.

    To add a relying party trust

    1. Open ADFS.
    2. In the folder pane, navigate toADFS > Trust Relationships and right-click the Relying Party Trusts folder.
    3. From the Right-Click menu, select Add Relying Party Trust.
    4. On the first page of the Add Relying Party Trust Wizard, click Start.
      IntegrationADFSfilesConfig1.jpg
    5. In the Select Data Source screen, select the Enter data about the relying party manually option.
    6. Click Next.
      IntegrationADFSfilesConfig2.png
    7. In the Specify Display Name screen, enter a display name.
    8. Click Next.
      IntegrationADFSfilesConfig3.png
    9. In the Choose Profile screen, select AD FS profile.
    10. Click Next.
      IntegrationADFSfilesConfig4.png
    11. In the Configure Certificate screen, click Next.
    12. In the Configure URL screen, select the Enable support for the SAML 2.0 WebSSO protocol check box.
    13. Copy the callback URL that you set in the SysAid ADFS Configuration screen in step 3 of the section above and paste it into the Relying Party SAML 2.0 SSO Service URL field.
    14. Click Next.
      IntegrationADFSfilesConfig6.png
    15. In the Configure Identifiers screen, copy the ADFS Issuer Token from the SysAid ADFS configuration screen to the Relying Party Trust Identifier field.
    16. Click Add.
    17. Click Next.
      IntegrationADFSfilesConfig7.png
    18. In the Configure Multi-factor Authentication Now? screen, ensure that the I do not want to configure... option is selected.
    19. Click Next.
      IntegrationADFSfilesConfig8.png
    20. In the Choose Issuance Authorization Rules screen, ensure that the Permit All Users to Access This Relying Party option is selected.
    21. Click Next.
      IntegrationADFSfilesConfig9.png
    22. In the Ready to Add Trust screen, click Next.
    23. In the Finish screen, click Close.
    24. In the Edit Claim Rules for SysAid Login dialog that opens on your screen, click Add Rule.
      IntegrationADFSfilesConfig12.png
    25. In the Choose Rule Type screen, from the Claim Rule Template drop-down, select Send LDAP Attributes as Claims.
    26. Click Next.
      IntegrationADFSfilesConfig13.png
    27. In the Configure Claim Rule screen, enter a claim rule name in the Claim Rule Name field.
    28. From the Attribute Store drop-down, select Active Directory.
    29. Build map of LDAP attributes (see screenshot below).
    30. Click Finish.
      IntegrationADFSfilesConfig14.png

    Create a new claim rule

    1. Back in the Edit Claim Rules for SysAid Login dialog, click Add Rule.
      IntegrationADFSfilesConfig15.png
    2. In the Choose Rule Type screen, from the Claim Rule Template drop-down, select Transform an Incoming Claim.
    3. Click Next.
      IntegrationADFSfilesConfig16.png
    4. In the Edit Rule - NameID window, enter a rule name in the Claim Rule Name field.
    5. From the Incoming Claim Type drop-down, select UPN.
    6. From the Outgoing Claim Type drop-down, select Name ID.
    7. From the Outgoing Name ID Format drop-down, select UPN.
    8. Ensure that the Pass through all claim values option is selected.
    9. Click OK.
      IntegrationADFSfilesConfig17.png

    Add ADFS thumbprint to the SysAid ADFS Configuration screen

    Now that you have set up the configuration on the ADFS side, you need to retrieve the ADFS thumbprint parameter and add it to the SysAid ADFS Configuration screen.

    1. On the Main Ad FS screen, select the Service > Certificates folder.
    2. Click the Token-signing file.
    3. In the Certificate dialog, select the Details tab.
    4. In the field column, click Thumbprint.
    5. Copy the Thumbprint text.
    6. Click OK.
      IntegrationADFSfilesThumbprint.jpg
    7. In SysAid, in the ADFS Configuration screen, paste the copied text into the ADFS Certificate Thumbprint field.
    8. Click the Activate Integration slider.
    9. (Optional) If you want SysAid to create new users with their ADFS IDs, Enter "Y" in the Create New Users field.
    10. (Optional) If you selected to allow SysAid to create new users with their ADFS IDs, you can replace the ADFS domain with any name you want in the Domain Mapping field. For example, "MyDomain= MyCompany.com, MyDomain2= MyCompany.com". If you want user names to contain the ADFS domain, leave this field blank.
    11. Click Save Changes.
      IntegrationADFSfilesADFSIntegrationPageThumb1.jpg

    Configure your browser

    Once SysAid is integrated with ADFS, you need to configure your browser to allow for SSO (Single Sign On). This requires one procedure if you are running a SysAid in Internet Explorer and a separate procedure if you are running SysAid in Chrome or FireFox. You can perform one or both procedures depending on your company's requirements.

    To configure ADFS SSO for Internet Explorer or Microsoft Edge

    1. From your Windows Control Panel, select Internet Options.
    2. In the Security tab, click Local intranet.
    3. Click Sites.
      IntegrationADFSfilesInternetOptions1.jpg
    4. In the Local intranet, click Advanced.
    5. Add the first part of the URL you entered in the ADFS IDP Login URL field in SysAid's ADFS Configuration screen that ends in ".com".
    6. Click Add.
      image.png
    7. Click Close.
    8. In the Local intranet window, click OK.
    9. In the Internet Options window, click OK.

    To configure ADFS SSO for Chrome and FireFox

    1. In your ADFS server, open IIS Manager.
    2. Navigate to Default Web Site > ADFS > IS.
      IntegrationADFSfilesPath.png
    3. Double-Click IntegrationADFSfilesAuthentication.jpg.
    4. Right-click Windows Authentication and select Advanced Settings from the Right-Click menu.
    5. Set Extended Protection to Off.
    6. Click OK.
      IntegrationADFSfilesAuthenticationOFF.png

    This completes the SysAid ADFS integration !

    When you access your SysAid login screen, you are routed to the ADFS login screen. If you are logged into ADFS, you are automatically logged in to SysAid.

    If you need to manually log in to SysAid to fix your ADFS configuration, use the following URL: "<SYSAID URL>/Login.jsp?manual=true".

    For further assistance, please contact SysAid Support.