ADFS SSO On-Boarding Information

This article will provide guidance on the steps required for SAML Integration with ClickView Online. It is important to understand that the SAML Integration process is a HTTPS only process and customers must ensure that they possess at least a 2048-Bit RSA Certificate from a reputable Certificate Authority.

Currently ClickView supports Single Sign-On (SSO) integration for most SAML2 Protocol based authentication systems including but not limited to Active Directory Federation Services (ADFS), Shibboleth 2.0, WS-Federation, and PingIdentity.

 

Please ensure the On-Boarding Document is completed and emailed to ClickView Technical Support upon completion of the steps below.

Important Note: Please ensure that the On-Boarding Document contains your own institution's metadata URL and entity ID, not that of ClickView.

 

ClickView Metadata Information

Note: Ensure that you use the URL that is appropriate for your institution's geographic location.

Australian URL'S:

SAML Metadata URL: https://saml-in4.clickview.com.au/Shibboleth.sso/Metadata

ClickView Entity ID: https://saml-in4.clickview.com.au/shibboleth

New Zealand URL'S:

SAML Metadata URL: https://shibboleth.clickview.co.nz/Shibboleth.sso/Metadata

ClickView Entity ID: https://shibboleth.clickview.co.nz/shibboleth

United Kingdom URL's:

SAML Metadata URL: https://saml-in2.clickview.co.uk/Shibboleth.sso/Metadata

ClickView Entity ID: https://saml-in2.clickview.co.uk/shibboleth

Integration Process with Microsoft ADFS 2.0 / 3.0

Prior to undertaking the below, please ensure your ADFS 'Organisation' information is published with your Federation Metadata.

To verify / populate this, right-click on the 'ADFS' folder in the top left hand pane > 'Edit Federation Service Properties'

Within this section, click on the 'Organization' tab, this should present you with the following:

Please ensure the 'Publish Organization information in federation metadata' box is ticked, and that all 'Support contact information' boxes are populated with valid data - this is mandatory.

Customers running an Active Directory with functional level of 2003 or higher will be able to take advantage of Microsoft's ADFS System for integrating with ClickView Online. We support ADFS on Windows Server 2008R2 (ADFS2.0) up to Server 2016(ADFS4.0). Below is a brief walk-through on how the ADFS Service can be installed on a Windows 2008 R2 Server:

1.  Open Start

2.  Click Administrative Tools

3.  Click AD FS 2.0 Management or AD FS 3.0 Management

4.  Click AD FS Federation Server Configuration Wizard



5.  Create a new Federation Service

7.  New Federation Server Farm - Choose this option all the time even if you only plan on deploying one server. If stand-alone federation server is chosen, then you will not be able to add a new server to your AD Network.

8.  Click Next

9.  SSL Certificate - This should be pre-populated. If not please assign your SSL Certificate to the Default Website created in IIS

10.  Federation Service Name - This should match the SSL certificate name

11.  Click Next



12.  Enter the AD FS service account name and password

13.  Click Next



14.  Click Next.

15.  If the name of the federation service is already in use you might be presented with an error: “The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.” You’ll have to use setspn.exe to set the proper SPN.

Configuring Federation Trust with ClickView Online

Now that the ADFS Service has been installed you are ready to setup the Relying Party Trust.

1.  Select Relying Party Trusts

2.  Click Add Relying Party Trust

3.  Click Next

4.  Choose Import data about the relying party published online or on a local network

5.  Enter the ClickView SAML Metadata URL mentioned at the start of this article i.e. for Australia (https://saml-in4.clickview.com.au/Shibboleth.sso/Metadata or https://saml-in2.clickview.co.uk/Shibboleth.sso/Metadata for UK) depending upon geographic location

6.  Click Next

7.  You can retain the default Display Name in the next window or change it accordingly

8.  Click Next

9.  Select Permit all users to access this relying party and click Next

10.  Click Next & Finish

11. If you are running AD FS 3.0, it is necessary to ensure that both 'Forms Authentication' and 'Windows authentication' are enabled within the 'Global Authentication Policy' as per the screenshot below:

Creating Claim Rules for Exposure over SAML ADFS 2.0 / 3.0

For successful ADFS Integration with ClickView we require the following attributes exposed:

  • Email Address
  • Given Name
  • Last Name
  • Display Name
  • Member Of (Group Membership)

During the authentication process the user's group membership is enumerated and the respective group membership that is mapped to ClickView Online is chosen.

In accordance with the SAML2 protocol the following rule templates must be used when exposing the above attributes over ADFS.

1.  Right-Click on the newly added Relying Party Trust and select Edit Claim Rules

2.  On the tab Issuance Transform Rules click Add Rule

3.  Select Send Claims Using a Custom Rule from the Claim Rule Template Drop-down and click Next

4.  For each of the above claim rules explained above enter the corresponding Claim Rule name and the Custom Rule as per below:

Claim Rule Name

Custom Rule

Email Address

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(store = "Active Directory", types = ("urn:oid:0.9.2342.19200300.100.1.3"), query = ";mail;{0}", param = c.Value);

Given Name

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(store = "Active Directory", types = ("urn:oid:2.5.4.42"), query = ";givenName;{0}", param = c.Value);

Display Name

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(store = "Active Directory", types = ("urn:oid:2.16.840.1.113730.3.1.241"), query = ";displayName;{0}", param = c.Value);

Member Of

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(store = "Active Directory", types = ("urn:oid:1.2.840.113556.1.2.102"), query = ";memberOf;{0}", param = c.Value);

Surname

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(store = "Active Directory", types = ("urn:oid:2.5.4.4"), query = ";SN;{0}", param = c.Value);

  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5.  Once the above attributes have been mapped please contact ClickView Technical Support with your completed On-Boarding Document and we will complete the integration process.

SAML2 Attributes for Integration with 3rd Party IdP's

Due to the many different IdP Solutions in the market implementing the SAML2 protocol, we have compiled a list of the necessary attributes required to be exposed over your respective IdP in order for successful federation with ClickView Online.

LDAP Attribute

SAML2 Attribute

Email Address

<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="email"/>

Given Name

<Attribute name="urn:oid:2.5.4.42" id="givenName"/>

Display Name

<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>

Member Of

<Attribute name="urn:oid:1.2.840.113556.1.2.102" id="memberOf"/>

First Name or cn (Common Name)

<Attribute name="urn:oid:2.5.4.3" id="cn"/>

Sn or Surname

<Attribute name="urn:oid:2.5.4.4" id="surName"/>

 

 

 

 

 

 

 

 

 

 

Important Note: If the implementation of Single Sign On at your institution will lead to a change in the e-mail addresses that users at your institution currently uses for ClickView Online access, please ensure that this is specified when sending your completed SSO setup information back to ClickView - this is necessary so that ClickView can assess whether users' existing ClickView Online material such as Workspace videos, Playlists etc, will need to be migrated during the enabling of SSO for your institution.

If you are not sure of this, please contact ClickView Support for further guidance prior to commencing the SSO setup.

 

Optimal SSO Experience with ADFS

If users are presented with your ADFS sign in page, despite being logged in to the institute's network, it is likely that your ADFS setup will require optimisation to allow any ADFS integrated applications present to benefit from Integrated Windows Authentication (IWA), which allows for true Single Sign on (i.e.: Once they sign into Windows, they won’t need to sign in again to ClickView Online).

ClickView Technical Support are unable to provide assistance with optimising your SSO solution, however, further research on achieving this can be found below - we recommend you do backup your services prior to completing any changes to your production servers: