All Collections
API & SSO
Single Sign On (SSO)
How to setup SSO for eloomi People with ADFS and SAML
How to setup SSO for eloomi People with ADFS and SAML

In this article you will be guided through the setup necessary to achieve SSO in eloomi with SAML 2.0 logins and your corporations ADFS.

Zaheer Haral avatar
Written by Zaheer Haral
Updated over a week ago

All the steps to setup an SSO with ADFS and SAML are described below.

Important note:

  • Please be aware that eloomi does not support user provisioning through SSO. You will be able to use our open API (contract add-on) to create users and SSO for user login.

  • We do not support multiple SSO connections to the same platform.

Adding a Relying Party Trust

At this point you should be ready to set up the ADFS connection with your eloomi Platform. 

Step 1: Select the Relying Party Trusts folder from ADFS Management and add a new Standard Relying Party Trust from the Actions sidebar.

Step 2: Click Start and in data-source select Import data about the relying party published online or on a local network

Step 3: In the Federation metadata address field enter:

https://<your_platform_name>.eloomi.com/saml2/metadata

Step 4: Finish the relying party-trust setup as your company requires

Creating Claim Rules
When you have setup the relying party trust, claim rules must be created/updated. The wizard for this usually opens once the trust is created, if not, open it manually.

Now click the "Add rule" button, to create a new rule, and select Send LDAP Attributes as Claims

Give the claim rule a name, fx: Email Rule
Select Active Directory as your attribute store.
In the LDAP Attribute column, select E-mail-Addresses
In the Outgoing Claim Type (Select or type to add more) column, select E-mail Address

Click OK and save the rule and now once again click the Add Rule button.
Now select Transform an Incoming claim in the Claim rule template dropdown and click Next

In the Incoming Claim Type dropdown, select E-mail Address
In the Outgoing claim type select Name ID
In the Outgoing name ID format select Email

Check the Pass through all claim values and click OK to create the claim rule.

Click OK and OK again. Now, the set-up is done :)


Setup in eloomi

To set-up the Single Sign-on on the eloomi platform, you will need a user with administrative privileges.

Navigate to Admin > Settings and select the SSO settings

Fill out the details specified from your ADFS metadata file, in most cases it looks like this (Remember to change <your.adfs.com> with your actual domain for the ADFS service)

SSO Login Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 

SSO Redirect Unauthorized Requests defines wether or not an initial load to https://yourplatform.eloomi.com should directly redirect to the SSO iDP (Identity provider). If this is set to NO. You will have to navigate to https://yourplatform.eloomi.com/sso/log-in to initiate the SSO login.  
If this is set to YES. You may circumvent the SSO login by navigating to https://yourplatform.eloomi.com/login 

X509 certificate is your trust-certificate which you can also find in your ADFS metadata file. Please start the certificate with

-----BEGIN CERTIFICATE-----

and end it with

-----END CERTIFICATE-----

When done filling in the details, save the settings.

Testing

Testing the SSO login can be achieved by navigating to: https://yourplatform.eloomi.com/sso/log-in 

Important Note:

Please make sure Activation Method from platform admin > settings > company details is set to "Instant".

For technical support on SSO configuration or errors, please raise a ticket at helpdesk.eloomi.com, including the error message and screenshot and steps taken before the challenge arose.

Did this answer your question?