Group Email Manager

login signup

Configuring ADFS for Simplelists SAML2 Authentication

Introduction

Implementing SAML Authentication for Simplelists is described below.  If you use the Automatic Method you can ignore the Manual Method.

  1. Create Microsoft ADFS Relying Party Trust for simplelists (Automatic Method)
  2. Create Microsoft ADFS Relying Party Trust for simplelists (Manual Method)
  3. Create  Microsoft ADFS Claims Issuance Policy for simplelists
  4. Add Signature Verification Certificate for Microsoft ADFS Relying Party (Manual Method)
  5. Set simplelists user to use the SAML Provider
  6. Testing Login

Create Microsoft ADFS Relying Party Trust for simplelists (Automatic method)

Creating an ADFS Relying Party Trust with the Simplelists metadata

  1. Transfer the saml.xml file, downloaded from the Simplelists Authentication Settings, to the ADFS server
  2. Open the AD FS Management application Shows the ADFS Admin tool selecting Replying Trust
  3. Right-Click on the Relying Party Trusts Folder
  4. Click Add Relying Party Trust...

Relying Party Trust Wizard

    Shows ADFS Wizard - Select Claims Aware
  1. Select Claims Aware (Default)
  2. Click Start

Select Data Source

  1. Select the Import data about the relying party from a file Shows ADFS Wizard - Select Data Source
  2. Click the Browse button and locate the saml.xml file
  3. Click Next to continue

Specify Display Name

    Shows ADFS Wizard - Specify Display Name
  1. Enter a Display Name to distinguish the Simplelists application
  2. Enter a Description (Optional)
  3. Click Next

Choose Access Policy

    Shows ADFS Wizard - Choose Access Control Policy
  1. Choose and Access Control Policy (Permit everyone is assumed)
  2. Click Next

Ready to add trust

    Shows ADFS Wizard - Ready to Add Trust
  1. Review the settings that were imported
  2. Click Next

Finish

    Shows ADFS Wizard - Successfully Added Relying Party Trust
  1. Click Close

Set Response and Assertion Signing option

Simplelists metadata is configured to support Encrypted Assertions.  This means that the XML will be encrypted by ADFS using the Simplelists public key certificate.  This provides additional security but requires an additional option to be set via Powershell.

  1. Open Powershell
  2. Run the following command

Set-ADFS-RelyingPartyTrust -targetname SimpleLists -SamlResponseSignature “MessageAndAssertion”

Create Microsoft ADFS Relying Party Trust for simplelists (Manual method)

  1. Open the AD FS Management tool ADFS Tool Open displaying Relying Party Trusts
  2. Select Relying Party Trusts
  3. Right click and select Add Relying Party Trust …

Welcome

    Shows Relying Party Trust Wizard Welcome
  1. Accept the Default Claims aware and
  2. Click Start

Select Data Source

    Shows Relying Party Trust Wizard - Select Data Source
  1. Select Enter data about the replying party manually
  2. Click Next

Specify Display Name

    Shows Relying Party Trust Wizard - Specify Display Name
  1. Enter simplelists Web Application as the Display name
  2. Click Next

Configure Certificate (optional)

Shows Relying Party Trust Wizard - Configure Certificate

Simplelists also supports encrypted SAML Assertions.

  1. Select the Simplelists encryption certificate using the browse button
  2. click Next

NOTE: The encryption certificate is specified in the Simplelists metadata xml file.  Using the file to import via the automatic method above is the easiest way to obtain the file.

NOTE 2: Encrypted assertions require that both the Response and Assertion be signed.  Run the following command from powershell:

Set-ADFS-RelyingPartyTrust -targetname SimpleLists -SamlResponseSignature  “MessageAndAssertion”

Configure URL

Shows Relying Party Trust Wizard - Configure URL

  1. Click Enable support for the SAML 2.0 WebSSO protocol
  2. Enter the Relying party SAML 2.0 SSO service URL
  3. Click Next

This is the Reply URL / Single Sign On URL / Recipient URL / ACS URL from simplelists.  In the example above it is https://www.simplelists.com/app/saml

Configure Identifiers

Shows Relying Party Trust Wizard - Configure Identifiers

  1. Enter the Relying party trust identifier
  2. Click Add Shows Relying Party Trust Wizard - Configure Identifiers
  3. Click Next

In this case it is the Entity ID from simplelists.  In this example it is https://www.simplelists.com/app/saml/xml

Choose Access Control Policy

Shows Relying Party Trust Wizard - Choose Access Control Policy

  1. Accept the default of Permit everyone
  2. Click Next

Ready to Add Trust

Shows Relying Party Trust Wizard - Ready to Add Trust

  1. You can review each of the settings you added on the tabs.
  2. Click Next if they look correct.  You can change them later.

Finish

Shows Relying Party Trust Wizard - Finish

  1. Accept the default to Configure claims issuance policy for this application
  2. Click Close.  

This might open up Edit claim policy for “your Relying Party Trust”

Create  Microsoft ADFS Claims Issuance Policy for  simplelists

The following dialog should have been displayed after you closed the Add Relying Party Trust Wizard.  If it was not displayed:

  1. Select the Relying Party Trust that you created
  2. Click the Edit Claim Issuance Policy from the actions menu to the right

Create Attributes Rule

This rule specifies which attributes will be in the SAML Assertion.

Shows Claim Issuance Policy

  1. Click the Add Rule

Choose Rule Type

  1. Select Send LDAP Attributes as Claims as the Claim rule template
  2. Click Next

Configure Rule for Attributes

  1. Set the Claim rule name to Attributes
  2. Set the Attribute store to Active Directory
  3. Add the LDAP Attributes and Outgoing Claim Types as shown below
LDAP Attribute Outgoing Claim
Given-Name Given Name
Surname Surname
E-Mail-Addresses E-Mail Address
User-Principal-Name Name ID

Shows Claim Issuance Wizard - Claim Rule

  1. Click Finish

Note the Given Name and Surname Outgoing Claim type selected from the Dropdown list will set the default ID values that simplelists uses to obtain the Surname and Given Name of the user from the SAML assertion.

Add Transform Incoming Claim Rule

Shows Claim Issuance Transform Rules

  1. Click Add Rule

Transform an Incoming Claim

Shows Claim Issuance Transform Rules Wizard - Choose Rule Type

  1. Select the Transform an Incoming Claim for the Claim rule template.
  2. Click Next.

Configure Claim Rule

Shows Claim Issuance Transform Rules Wizard - Configure Claim Rule

  1. Set the Claim rule name to Name ID
  2. Set the Incoming claim type to  E-Mail Address
  3. Set the Outgoing claim type to  Name ID
  4. Set the Outgoing name ID format to Email
  5. Select the default Passthrough all claim values
  6. Click Finish

Shows Claim Issuance Policy with Rules

  1. Click OK to complete the Claim Issuance Policy

Add Signature Verification Certificate for Microsoft ADFS Relying Party (Manual Method)

By default Microsoft AD Federation Services does not allow you to import a signing verification certificate during the wizard to create a Relying Party Trust.

The Simplelists Signing Certificate can be downloaded from the Simplelists Authentication Provider settings

  1. Open AD FS Management
  2. Select your Relying Party Trust created above
  3. Click Properties from the right hand menu
  4. Select the Signature tab Shows No Signature Certificates for Relying Party
  5. Click the Add button Shows Signature Certificates for Relying Party
  6. Select the simplelists signing certificate
  7. Click Open
  8. Click OK after the certificate has been imported

Testing Login

Shows Simplelists Main Page

  1. Access the simplelists page and click Login Shows Simplelists Login Page
  2. Enter your ADFS enabled email address and click submit.

If everything is correctly configured you will be presented with the ADFS login page.

Shows the ADFS Login Page

  1. Enter the email address that you have enabled for ADFS in simplelists
  2. Enter your password
  3. Click Sign In

Note: You should note that the page prompts for the user ID in the format "domain\user" or "user@domain" (if you enter the password incorrectly).  The Transform Incoming Claim Rule that you created above is only configured for the email address.  You can add another one to support other formats including Domain\user if you want to support them.