Pronestor supports single sign-on (SSO) logins through SAML 2.0 via Active Directory Services (ADFS). ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
Once you have completed this guide, Pronestor has to do their part as described here (this guide is only visible for Pronestor employees)
To use ADFS to log in to your Pronestor instance, you need the following components:
- That all users are created in Pronestor Planner with the same login as your Active Directory. For example through a user import.
- An Active Directory instance where all users have an email address attribute and a User Principal name.
- A Pronestor Planner Cloud solution.
- A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.
- A SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article - http://msdn.microsoft.com/en-us/library/gg188612.aspx.
When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.
Step 1 - Adding a Relying Party Trust
At this point, you should be ready to set up the ADFS connection with your Pronestor instance. The connection between ADFS and Pronestor is defined using a Relying Party Trust (RPT).
- Select the Relying Party Trusts folder from AD FS Management
- Add a new Standard Relying Party Trust from the Actions sidebar.
This starts the configuration wizard for a new trust.
In the Welcome screen choose Claims aware
In the Select Data Source screen, select the last option, Enter Data About the Relying Party Manually.
On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.
On the next screen, leave the certificate settings at their defaults.
On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://customername.pronestor.com/Booking.NET/Login.mvc/Login, replacing customername with your Pronestor's subdomain. Note that there's no trailing slash at the end of the URL.
On the next screen, add a Relying party trust identifier of subdomain.pronestor.com, replacing subdomain with your Pronestor subdomain.
It's important that you don't use any capital letters.
Note: If you enter subdomain.pronestor.com, and receive a request failure error, you may need to enter your subdomain as https://subdomain.pronestor.com.
On the next screen, leave the Access Control Policy as it is.
On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor
Step 2 - Creating claim rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default, the claim rule editor opens once you created the trust. If you want to map additional values beyond authentication, refer to our documentation.
To create a new rule, click on Add Rule.
Create a Send LDAP Attributes as Claims rule.
On the next screen, using Active Directory as your attribute store, do the following:
1. From the LDAP Attributecolumn, select User-Principal-Name.
2. From the Outgoing Claim Type, select Name.
Please send Helpdesk@Pronestor.com the following information and ask us to enabled ADFS. Remember to have your users in Pronestor first, or you won't be able to log on afterwards.
It is critical that this information is exactly like what you entered into your system. If you typed https://customername.pronestor.com but send Pronestor https://customername.pronestor.com/ it won't work.
Customer values to be send to Pronestor
|ServiceProvider||Reference to Pronestor site||ex. https://customername.pronestor.com|
|PartnerIdentityProvider||Reference to customer's ADFS endpoint (see below on how to retrieve this information)||ex. http://ad.pronestor.dk/adfs/services/trust|
|SingleSignOnServiceUrl||SAML 2.0/W-Federation||ex. https://ad.pronestor.dk/adfs/ls|
|SingleLogoutServiceUrl||SAML 2.0/W-Federation||ex. https://ad.pronestor.dk/adfs/ls|
How to look up the PartnerIdentityProvider
- open ADFS management tool
- Right click Service
- Click Properties
- Copy the value in the "Federation Service Identifier" - which is your PartnerIdentityProvider name
How to find your SingleSignOnServiceUr and SingleLogoutServiceUrl
If you haven't changed your defaults, you can find out what your SingleSignOnServiceUr and SingleLogoutServiceUrl by takings your PartnerIdentityProvider and changing the ending. So if your PartnerIdentityProvider is http://ad.pronestor.dk/adfs/services/trust then your SingleSignOnServiceUr and SingleLogoutServiceUrl will be https://ad.pronestor.dk/adfs/ls
If you have change your defaults, then you can find what you changed them to under "Endpoints"