Pronestor supports single sign-on (SSO) logins through SAML 2.0 via Active Directory Services (ADFS). ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
Once you have completed this guide, Pronestor has to do their part as described here (this guide is only visible for Pronestor employees)
This is what to expect when starting outlook with Pronestor Outlook Add-in when running a setup where SSO authentication is done via ADFS.
If you are logged in to the domain Here, it is assumed that you are logged in to the domain and can access the services that require you to be authenticated against your corp domain.
This will mean, among other things, that when you access the Pronestor Planner web, you will not be required, for example, domain user / password.
When you open Outlook for the first time - you are not authenticated against Pronestor. This means - that the Pronestor book buttons in an appointment are not there - but there will be a "login" - where you are clicked to log in for the first time.
If you are not logged in to Pronestor - this means that you will not have access to Pronestor functionality. If you are NOT logged in to the domain If you run with full exchange integration - then that part will still be able to intercept ordering of meeting rooms that have been invited, relocations, etc. - even if you have not activated Pronestor Outlook Add-in
To use ADFS to log in to your Pronestor instance, you need the following components:
- That all users are created in Pronestor Planner with the same login as your Active Directory. For example through a user import.
- An Active Directory instance where all users have an email address attribute and a User Principal name.
- A Pronestor Planner Cloud solution.
- A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.
- A SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article - http://msdn.microsoft.com/en-us/library/gg188612.aspx.
When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.
Step 1 - Adding a Relying Party Trust
At this point, you should be ready to set up the ADFS connection with your Pronestor instance. The connection between ADFS and Pronestor is defined using a Relying Party Trust (RPT).
- Select the Relying Party Trusts folder from AD FS Management
- Add a new Standard Relying Party Trust from the Actions sidebar.
This starts the configuration wizard for a new trust.
In the Welcome screen choose Claims aware
In the Select Data Source screen, select the last option, Enter Data About the Relying Party Manually.
On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.
On the next screen, leave the certificate settings at their defaults.
On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://customername.pronestor.com/Booking.NET/Login.mvc/Login, replacing customername with your Pronestor's subdomain. Note that there's no trailing slash at the end of the URL.
On the next screen, add a Relying party trust identifier of subdomain.pronestor.com, replacing subdomain with your Pronestor subdomain.
It's important that you don't use any capital letters.
Note: If you enter subdomain.pronestor.com, and receive a request failure error, you may need to enter your subdomain as https://subdomain.pronestor.com.
On the next screen, leave the Access Control Policy as it is.
On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor
Step 2 - Creating claim rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default, the claim rule editor opens once you created the trust. If you want to map additional values beyond authentication, refer to our documentation.
To create a new rule, click on Add Rule.
Create a Send LDAP Attributes as Claims rule.
On the next screen, using Active Directory as your attribute store, do the following:
1. From the LDAP Attributecolumn, select User-Principal-Name.
2. From the Outgoing Claim Type, select Name.
Please send Helpdesk@Pronestor.com the following information and ask us to enabled ADFS. Remember to have your users in Pronestor first, or you won't be able to log on afterwards.
It is critical that this information is exactly like what you entered into your system. If you typed https://customername.pronestor.com but send Pronestor https://customername.pronestor.com/ it won't work.
Customer values to be send to Pronestor
|ServiceProvider||Reference to Pronestor site||ex. https://customername.pronestor.com|
|PartnerIdentityProvider||Reference to customer's ADFS endpoint (see below on how to retrieve this information)||ex. http://ad.pronestor.dk/adfs/services/trust|
|SingleSignOnServiceUrl||SAML 2.0/W-Federation||ex. https://ad.pronestor.dk/adfs/ls|
|SingleLogoutServiceUrl||SAML 2.0/W-Federation||ex. https://ad.pronestor.dk/adfs/ls|
How to look up the PartnerIdentityProvider
- open ADFS management tool
- Right click Service
- Click Properties
- Copy the value in the "Federation Service Identifier" - which is your PartnerIdentityProvider name
How to find your SingleSignOnServiceUr and SingleLogoutServiceUrl
If you haven't changed your defaults, you can find out what your SingleSignOnServiceUr and SingleLogoutServiceUrl by takings your PartnerIdentityProvider and changing the ending. So if your PartnerIdentityProvider is http://ad.pronestor.dk/adfs/services/trust then your SingleSignOnServiceUr and SingleLogoutServiceUrl will be https://ad.pronestor.dk/adfs/ls
If you have change your defaults, then you can find what you changed them to under "Endpoints"
"You were authenticated successfully by your SSO-provider, but the response couldn't be validated by Pronestor. Please contact your system administrator"
- Make sure the "Relying party identifiers" is set correct (no ending slash - should be etc. "https://xyz.pronestor.com")
- Ask the customer to look into ADFS and list the exception received
For customers with onpremise version of Planner - the following settings must be added to the appsettings.config file (<siteroot>\configurations\appsettings.config)
"We do support adding a customer/partner certificate to the request coming from pronestor to the customer's ADFS.
The transport layer between Pronestor and customer is encrypted within the https protocol.
We don't currently support a required pronestor sign certificate for the request coming back from customer's ADFS."
Please sign in to leave a comment.