About SAML with ADFS
Integrate and enable ADFS with the Bitsight Single Sign-on (SSO) platform service using SAML.
Getting Started
- Claims Aware – When getting started with the Relying trust Wizard select claims aware.
-
Display Name – Use
service.bitsighttech.com
- Set permissions level – This option should be everyone or what is required by your organizations.
- Create Claim Rule – The integration requires a claim rule name. Select to transform UPN to outgoing claim type Name ID and Outgoing name ID format Email.
- Set Attributes – The attributes below include the UPN claim created earlier and the additional claim in URI format. (See the Basic SAML configuration table with name attributes).
Basic SAML configuration
- Enter the identifier entity ID - Identifier (Entity ID) -
- Enter the Reply URL
Detail | Contents |
---|---|
Identifier (Entity ID) | https://service.bitsighttech.com/saml/metadata/GUID |
Reply URL (Assertion Consumer Service URL) | https://service.bitsighttech.com/saml/acs/GUID |
Sign on URL | https://service.bitsighttech.com/sso/{{vanityNAME}}/ |
User and Attribute Claims
When entering the user an attribute claims, you must remove the Microsoft predefined claim names and define them specifically for Bitsight the steps and screenshots below demonstrate exactly how these should be and look.
- The nameidentifier value should be user.mail claim can be left with the existing name space
- Remove the claim name for given name and replace with urn.oid.2.5.4.3mapped to user.givenname
- Remove the claim name for las name and replace with urn.oid.2.5.4.4 mapped to user.surname
- Remove the claim name for mail and replace with urn:oid:0.9.2342.19200300.100.1.3 mapped to user.mail
Claim Name | Value |
---|---|
urn:oid:2.5.4.3 | user.givenname |
urn:oid:2.5.4.4 | user.surname |
urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
Optional Attributes (Not Required)
There are three additional attributes that can be specified however are not required for this integration using ADFS these items are optional only.
Full Name. This can be specified in place of the last name field if the user's name is not of the form, “Firstname Lastname.”
Name | Name Format | Value |
---|---|---|
urn:oid:2.16.840.1.113730.3.1.241 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | Full Name |
User Role. This specifies the user's role in the Bitsight platform. This field is optional (in which case the user's role will be a standard user role, or left unchanged). Otherwise it must be one of these strings:
Ensure the string values are an exact match, including the spaces.
- Customer User
- Customer Admin
- Customer Group Admin
- Customer Portfolio Manager
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.2 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | User Role |
User Group. This specifies the user's group. If the group does not already exist, it will be created (and will be empty initially). If this is not specified, then the customer's default group is used.
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.1 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | User Group |
Signature has algorithm
The final step to the Bitsight ADFS implementation is the set the hash to SHA-1 algorithm. In this step the Secure hash algorithm is changed from SHA256 (Default) to SHA -1.
Downloading and Uploading Metadata
Once you have configured and saved the steps above you can now download the metadata XML from ADFS and upload this to the Bitsight SAML self service portal.
- Select Download Federation Metadata XML from your ADFS portal Under the category SAML Signing Certificate.
- Select Load from URL in the SAML Metadata for your IdP section.
- Open the file Downloaded from Step 1.
SAML Instructions
- After you've submitted your SAML metadata, you can enable SAML.
- New users are automatically assigned the “User” role. Have them log in to Bitsight using SAML first, and then edit their role to give them different privileges. See Edit Existing Users for instructions.
- When users are created using SAML, they are placed in the default access control group. Edit a user's group to move them to a different group. See Edit Existing Users for instructions.
- If you no longer want to use single sign-on, see Disabling SAML.
- February 23, 2021: Published.
Feedback
0 comments
Please sign in to leave a comment.