About SAML with ADFS
Integrate and enable ADFS with the Bitsight Single Sign-on (SSO) platform service using SAML.
Getting Started
- Claims Aware – When getting started with the Relying trust Wizard select claims aware.
-
At Select Data Source – Import data about the relying party published online or on a local network or import from file using the Bitsight metadata. The Bitsight Metadata file is found in the SAML page [
Settings ➔ SAML]. Your unique SAML metadata file URL will look similar to
https://service.bitsighttech.com/saml/metadata/orhttps://service.bitsighttech.com/saml/<GUID>. To save this file, right click the link and select Save as. This will save the file to your local computer that you can use to upload into ADFS. -
Display Name – Use
service.bitsighttech.com - Set permissions level – This option should be everyone or what is required by your organizations.
- Create Claim Rule – The integration requires a claim rule name. Select to transform UPN to outgoing claim type Name ID and Outgoing name ID format Email.
- Set Attributes – The attributes below include the UPN claim created earlier and the additional claim in URI format. (See the Basic SAML configuration table with name attributes).
Basic SAML configuration
- Enter the identifier entity ID - Identifier (Entity ID) -
- Enter the Reply URL
- Enter the Sign on URL – [
| Detail | Contents |
|---|---|
| Identifier (Entity ID) | https://service.bitsighttech.com/saml/metadata/GUID |
| Reply URL (Assertion Consumer Service URL) | https://service.bitsighttech.com/saml/acs/GUID |
| Sign on URL | https://service.bitsighttech.com/sso/{{vanityNAME}}/ |
User and Attribute Claims
When entering the user an attribute claims, you must remove the Microsoft predefined claim names and define them specifically for Bitsight the steps and screenshots below demonstrate exactly how these should be and look.
- The nameidentifier value should be user.mail claim can be left with the existing name space
- Remove the claim name for given name and replace with urn.oid.2.5.4.3mapped to user.givenname
- Remove the claim name for las name and replace with urn.oid.2.5.4.4 mapped to user.surname
- Remove the claim name for mail and replace with urn:oid:0.9.2342.19200300.100.1.3 mapped to user.mail
| Claim Name | Value |
|---|---|
| urn:oid:2.5.4.3 | user.givenname |
| urn:oid:2.5.4.4 | user.surname |
| urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
Optional Attributes (Not Required)
See additional SAML 2.0 attributes that can be specified (full name, user role, and user group). They are optional and not required for this integration.
Signature has algorithm
The final step to the Bitsight ADFS implementation is the set the hash to SHA-1 algorithm. In this step the Secure hash algorithm is changed from SHA256 (Default) to SHA -1.
Downloading and Uploading Metadata
Once you have configured and saved the steps above you can now download the metadata XML from ADFS and upload this to the Bitsight SAML self service portal.
- Select Download Federation Metadata XML from your ADFS portal Under the category SAML Signing Certificate.
- Go to the Bitsight app SAML page [
- Select Load from URL in the SAML Metadata for your IdP section.
- Open the file Downloaded from Step 1.
SAML Instructions
- After you've submitted your SAML metadata, you can enable SAML.
- New users are automatically assigned the “User” role. Have them log in to Bitsight using SAML first, and then edit their role to give them different privileges. See Edit Existing Users for instructions.
- When users are created using SAML, they are placed in the default access control group. Edit a user's group to move them to a different group. See Edit Existing Users for instructions.
- If you no longer want to use single sign-on, see Disabling SAML.
- February 23, 2021: Published.
Feedback
0 comments
Please sign in to leave a comment.