Single Sign-On with ADFS
Overview
This article describes configuring a self-hosted Active Directory Federation Services (ADFS) server to act as a SAML 2.0 identity provider (IDP) in your CodeScan account.
Prerequisites
To get started, you need the following items:
Administrator-level access to CodeScan and ADFS to configure SSO.
Enable Single Sign-On in CodeScan.
Instructions
Step 1: Enabling Single Sign-On in CodeScan
Before configuring SSO in ADFS, you must enable SSO in CodeScan.
In CodeScan, click on the Profile icon on the right corner of the screen and select your organization (under My Organizations).
Go to Administration > SAML Connections.
Click on Create Connection.
In the Connection name field, enter the identity provider name as you want to appear (use only Latin characters without spaces or any special characters). Example-CodeScan
Enter a valid domain name for the organization in the Corporate domain field that can be authenticated in the Identity Provider. This property cannot be updated after SAML Connection creation. Example-In the case of abc@autorabit.com, the corporate domain will be autorabit.com.
Keep the Enforce SSO checkbox unchecked for now. You can enable this option later when your domain has been confirmed. Once enabled, only SSO authentication will be allowed for email addresses of your corporate domain.
Point to Note:
Enforcing SSO affects both login and signup. Existing Auth0 users won't be able to log in.
Signup with an email domain the same as the corporate domain won't be allowed.
If the Enforce SSO checkbox is enabled prematurely, it will prohibit all users in their organization from accessing CodeScan. Consider enforcing SSO only after admins have logged in to CodeScan using SSO.
Keep the SAML Connection status checkbox as Enabled and click on the Create button.
You can see the Metadata URL generated for your SSO configuration. Copy the Metadata URL in a new browser tab to download the XML file on your local device.
Step 2: Setting up Single Sign-On using Active Directory with ADFS and SAML 2.0
2.1 Adding a Relying Party Trust
To set up the ADFS connection with CodeScan using a Relying Party Trust (RPT), follow the below steps:
Log in to the ADFS Server.
Go to Tools > AD FS Management to launch the ADFS Management Console.
Click on Add Relying Party Trust… from the Actions sidebar on the right.
On the Welcome screen, select the Claims aware option and click Start.
On the Select Data Source screen, select the second option: Import data about the relying party from a file.
Browse for the metadata XML file from your local computer and upload it in the Federation metadata file location.
On the next screen, enter a display name that you will recognize in the future.
On the next screen, leave the defaults.
On the Configure URL screen:
Select the checkbox labeled: Enable support for the SAML 2.0 WebSSO protocol .
In the Relying party SAML 2.0 SSO service URL , enter the service URL in the below format: {instance_url}/_codescan/saml2/metadata/{connection_id} For example: If your instance URL is https://app.codescan.io and the connection_id is CodeScan, your service URL would be https://app.codescan.io/_codescan/saml2/metadata/CodeScan
Where can I find my connection_id?
Your connection_id will be available in the Metadata URL generated inside CodeScan.
For example:
Metadata URL-https://app.codescan.io/_codescan/saml2/metadata/CodeScan Connection_Id-CodeScan
Click Next.
On the next screen, add a Relying party trust identifier . This should be the name of your SAML connection in CodeScan. In this case, it is CodeScan.
Click Add.
On the next screen, leave the defaults.
The wizard will display an overview of your settings on the next screen. Click Next.
On the final screen, keep the Configure claims issuance policy for this application checkbox selected, and click on the Close button to open the Claim Rules editor.
2.2 Creating Claim Rules
Once the Relying Party Trust exists, you can create the claim rules and update the Relying Party Trust with minor changes that the wizard does not set.
By default, the Claim Rules editor opens once you create the trust.
To create a new rule, click on Add Rule.
Select Send LDAP Attributes as Claims as the claim rule template.
On the next screen, give the claim rule a unique name.
Using Active Directory as your attribute store, enter the following details:
LDAP Attribute | Outgoing Claim Type |
E-Mail-Addresses | E-Mail Address |
Display-Name | Name |
User-Principal-Name | Name ID |
Click Finish to save the new rule and then OK again to finish creating rules.
Under ADFS Management Console , navigate to Service > Endpoints and find the metadata URL. Copy and paste the URL to open the XML file on your browser. Keep the tab open; you will need certain information from here to add to the CodeScan application.
To download the X509 Signing Certificate, navigate to Service > Certificates under the ADFS Management Console.
Export the Token-signing certificates from ADFS and add them to the CodeScan SAML configuration. When using the certificate exporting wizard, select Base-64 encoded X.509 (.CER) for the encoding format.
Open the exported file in a text editor to get the certificate value.
Step 3: Configuring in CodeScan SAML Connection
Now that your ADFS SSO implementation is set up, you must follow a few more steps to configure SSO in your CodeScan account.
In CodeScan, on the SAML page, go to Actions and click on Edit.
Go to the tab of your browser where you have kept the metadata XML certificate open.
In the Edit SAML Connection dialog box on CodeScan, enter the following values:
Provider Entity Id: Copy the entityID value from the ADFS Metadata XML file and paste it into Provider Entity Id inside CodeScan. The entity Id format would be in https://<ADFS_DOMAIN_NAME>/adfs/services/trust.
Sign In URL: Copy the SingleSignOnService Location value and paste it into the Sign-In URL inside CodeScan.
Open the Certificate (.CER) you downloaded from ADFS in your text editor, copy the entire content, and paste it into the X509 Signing Certificate field of the CodeScan SAML connection.
Set up the SAML attributes in CodeScan in accordance with the Active Directory attributes (refer to Section 2.2, Point 5):
Click Update on the CodeScan page.
The next step is to confirm your corporate domain to get the SSO working. You can confirm the domain by raising a request to CodeScan support at http://mailto:support@autorabit.com/.
Step 4: Testing the Single Sign-On Configuration
Log out of the CodeScan Console, and then log back in using the Log in with SAML2 option.
Enter the corporate domain name you have configured when enabling SSO inside CodeScan in the Your Company email field. For example - autorabit.com
You should now successfully redirect to the CodeScan Organization page after authentication.
Last updated