AD FS Single Sign On: Enterprise setup (US)

This article will provide guidance to configure Azure Enterprise application for ClickView Online with Microsoft Azure Active Directory.

For the integration process with AD FS on your server, please refer to:

Integration Process with Microsoft ADFS

Configuring a Relying Party Trust with ClickView:

Now that the ADFS Service has been installed you are ready to setup the Relying Party Trust.

1. Select Relying Party Trusts

2. Click Add Relying Party Trust

3. Click Next and then select 'Claims aware' and then 'Start' button:

4. Choose 'Import data about the relying party published online or on a local network' option:

Enter the ClickView SAML Metadata URL mentioned below, depending upon geographic location:

ClickView's SAML Metadata URL:

https://saml-in1.clickview.us/Shibboleth.sso/Metadata

NOTE: Ensure that you use the URL that is appropriate for your institution's geographic location.

5. You will notice this warning pop-up message, which can be dismissed by clicking on 'OK':

7.  You can retain the default Display Name in the next window or change it accordingly

8.  Click Next

Creating Claim Rules for Exposure

For successful ADFS Integration with ClickView we require the following attributes exposed:

• Email Address
• Given Name
• Last Name
• Display Name
• Member Of (Group Membership)

During the authentication process the user's group membership is enumerated and the respective group membership that is mapped to ClickView Online is chosen.

In accordance with the SAML2 protocol the following rule templates must be used when exposing the above attributes over ADFS.

1. Right-Click on the newly added Relying Party Trust and select 'Edit Claim Issuance Policy':

2. On the tab Issuance Transform Rules click Add Rule:

3. Select 'Send Claims Using a Custom Rule' option from the Claim Rule Template Drop-down and click 'Next'

4. For each of the above claim rules explained above enter the corresponding Claim Rule name and the Custom Rule as per below:

Exposing additional claim rules

The claim rules described in step 4 above are the minimum required claim rules for the basic user identification, however for sending any additional attributes for the purpose of campus/school/institution identification, the claim can be released by using the following custom templates:

I. Using the claim urn:oid format

c:[Type == "http://schemas.microsoft.com/ws/ABCD/XY/identity/claims/XXX"]

=> issue(store = "Active Directory", types = ("urn:oid:X.X.X.XX"), query = ";givenName;{0}", param = c.Value);

II. Using the claim name format

c:[Type == "http://schemas.microsoft.com/ws/ABCD/XY/identity/claims/XXX"]

=> issue(store = "Active Directory", types = ("XXX"), query = ";givenName;{0}", param = c.Value);

Where:

ABCD/XY = Schema/Standard

X.X.X.XX = urn:oid for the corresponding claim

XXX = claim name

NOTE: For identifying the schema of your desired attribute, please refer to What are claim types?

Other methods for exposing claims and attributes:

Please refer to the official Microsoft documentation below, which will guide you through the process of enabling claims and attributes, via different methods listed below:

A. Create a Rule to Send LDAP Attributes as Claims

B. Create a Rule to Send Group Membership as a Claim

C. Create a Rule to Transform an Incoming Claim

D. Create a Rule to Send an Authentication Method Claim

E. Create a Rule to Send Claims Using a Custom Rule

Once the above attributes have been mapped please submit your completed onboarding form and we will complete the integration process.

NOTE: Please include the name(s) of any additional attributes which are exposed for campus/school/institution.

Submitting your information

To start a new onboarding form, please click SSO Onboarding form,otherwise please continue with the form if you are already in the process of completing.