Setting up Microsoft ADFS SSO for Veelo

Veelo supports single sign-on (SSO) sign-ins through SAML 2.0. The Microsoft Active Directory Federation Services (ADFS) server can act as a SAML 2.0 identity provider (IDP). The process consists of these steps:


Verifying Requirements


Adding a Relying Party Trust


Creating Claim Rules


Sending Certificate Information

Verifying Requirements

To use ADFS to as an SSO service for Veelo, you need the following:

  • An Active Directory instance where all users have an email address attribute.
  • A Veelo Premium or Enterprise subscription
  • A server running Microsoft Server 2012 or 2008; this guide uses screenshots from Server 2012R2, but steps should be very similar for different versions
  • An SSL certificate to sign your ADFS sign-in page and the fingerprint for that certificate.

When you have a fully installed ADFS installation, note down the value for the SAML 2.0/W-Federation URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be /adfs/ls/.

Adding a Relying Party Trust

The connection between ADFS and Veelo is defined using a Relying Party Trust (RPT). Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.



 

  1. In the Select Data Source screen, select the last option, Enter Data About the Party Manually.

     
  2. On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.

     
  3. On the next screen, select the ADFS FS profile radio button.

     
  4. On the next screen, leave the certificate settings at their defaults.

     
  5. On the next screen, check Enable Support for the SAML 2.0 WebSSO protocol box.  Your customer success manager will send you the service URL to use.

     
  6. On the next screen, add a Relying party trust identifier of [customdomain].veeloapp.com. If you are unsure what your custom domain is, contact your customer success manager.

    NOTE: If you enter [customdomain].veeloapp.com, and receive a request failure error, you may need to enter your subdomain as https://[customdomain].veeloapp.com.

     
  7. On the next screen, select the Permit all users to access this relying party radio button.

     
  8. On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.

     

Creating claim rules

Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default, the claim rule editor opens once you’ve created the trust.



 

  1. To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.

     
  2. On the next screen, using Active Directory as your attribute store, do the following:

    a.    From the LDAP Attribute column, select E-Mail Addresses.
    b.    From the Outgoing Claim Type, select E-Mail Address.

    Click on OK to save the new rule.

     
  3. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.

     
  4. On the next screen:

    a.    Select E-mail Address as the Incoming Claim Type.
    b.    For Outgoing Claim Type, select Name ID.
    c.    For Outgoing Name ID Format, select Email.
    d.    Leave the rule at Pass through all claim values.

     
  5. Finally, click OK to create the claim rule, and then OK again to finish creating rules.
     

Sending Certificate Information to Veelo

  1. In the AD FS Management window, navigate to Services, and then to Certificates.
     
  2. Right click on the Token-signing certificate and choose View certificate. Export it as a Base-64 encoded X.509 certificate.
     
  3. Open the certificate in a text editor, copy/paste the content into an email, and send it to support@veeloinc.com.