Single Sign On setup for ADFS

Training Team

Modified on: Fri, 13 May, 2022 at 2:06 PM

This guide is related to configuring the Single Sign On feature with ADFS. If you do not already have the feature enabled on your system, please contact your account manager for further details.

Authentication URL

To allow authentication with ADFS we require an ADFS URL to input within our configuration. This requires an XML file which describes the ADFS service data.

Note: Usually, the URL will be in the format of:
https://{Customer ADFS Domain}/FederationMetadata/2007-06/FederationMetadata.xml

This will require a request from your IT team.

Setting up auth0 as a Relying Trust Party

You’ll need to run the following 2 PowerShell commands to install auth0 as a trust party.

(new-object Net.WebClient -property @{Encoding = [Text.Encoding]::UTF8}).DownloadString("https://raw.github.com/auth0/adfs-auth0/master/adfs.ps1") | iex

Then this

AddRelyingParty "urn:auth0:YOUR_TENANT" https://YOUR_DOMAIN/login/callback

Values: (Values entered here will be provided by MaxContact during the setup process)

Setting up the users with Roles

ADFS communicates user information with the MaxContact system via claims. As an example, ADFS might send a “role” claim which states that the user belongs to the Sys Admin role. To map users to the correct roles in Manager Portal, we need to ensure that ADFS is providing the right claims for the right users. Here’s how we’re doing that:

Create an Active Directory group (or use an existing one.) The idea is that everybody that belongs to this group in ADFS will send out the same claims.

Users can belong to multiple groups, so additional claims can be sent for a subset of the group.

In this example, we’ll be using “Manager Portal Agents” as the group name (however, any group name is allowed.)

In the ADFS application, you will need to find the relying trust party setup as above. This should be identifiable as it contains the domain mentioned in the section above.

When you’ve found the correct Relying Party Trust entry, select it, and click “Edit Claim Rules” in the right-side panel.

Choose “Add Rule” in the dialog and then select “Send Group Membership as Claim” in the dropdown.

Graphical user interface, text, application, email

Description automatically generated

Claim Values:

Claim Rule Name: Anything identifiable, in this case “Manager Portal Agents Role”

User’s Group: The name of the group we just created. E.g. “Manager Portal Agents”

Outgoing Claim Type: Role

By Default the prefix is MaxContact. (must include the .)

For the role name this must match a role name configured in the system and can be found within the permissions page. Please ensure the correct roles are assigned as failure to assign the correct role could result in someone having access to areas of the product they should not. (If you are unsure of the permission prefix or role name please contact MaxSupport)

Once this claim rule is setup, any user that is a part of that Active Directory group will send out the claim “Role/MaxContact.Agent” when logging in using single sign on this claim will be used to assign the required permissions to the user.