All the steps to setup an SSO with ADFS and SAML are described below
Adding a Relying Party Trust
At this point you should be ready to set up the ADFS connection with your eloomi Platform.
Step 1: Select the Relying Party Trusts folder from ADFS Management and add a new Standard Relying Party Trust from the Actions sidebar.
Step 2: Click Start and in data-source select Import data about the relying party published online or on a local network
Step 3: In the Federation metadata address field enter: https://<your_platform_name>.eloomi.com/saml2/metadata
Step 4: Finish the relying party-trust setup as your company requires
Creating Claim Rules
When you have setup the relying party trust, claim rules must be created/updated. The wizard for this usually opens once the trust is created, if not, open it manually.
Now click the "Add rule" button, to create a new rule, and select Send LDAP Attributes as Claims
Give the claim rule a name, fx: Email Rule
Select Active Directory as your attribute store.
In the LDAP Attribute column, select E-mail-Addresses
In the Outgoing Claim Type (Select or type to add more) column, select E-mail Address
Click OK and save the rule and now once again click the Add Rule button.
Now select Transform an Incoming claim in the Claim rule template dropdown and click Next
In the Incoming Claim Type dropdown, select E-mail Address
In the Outgoing claim type select Name ID
In the Outgoing name ID format select Email
Check the Pass through all claim values and click OK to create the claim rule.
Click OK and OK again. Now, the set-up is done :)
Setup in eloomi
To set-up the Single Sign-on on the eloomi platform, you will need a user with administrative privileges.
Navigate to Admin > Settings and select the SSO settings
Fill out the details specified from your ADFS metadata file, in most cases it looks like this (Remember to change <your.adfs.com> with your actual domain for the ADFS service)
SSO Login Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SSO Redirect Unauthorized Requests defines wether or not an initial load to https://yourplatform.eloomi.com should directly redirect to the SSO iDP (Identity provider). If this is set to NO. You will have to navigate to https://yourplatform.eloomi.com/sso/log-in to initiate the SSO login.
If this is set to YES. You may circumvent the SSO login by navigating to https://yourplatform.eloomi.com/login
X509 certificate is your trust-certificate which you can also find in your ADFS metadata file. Please start the certificate with
and end it with
When done filling in the details, save the settings.
Testing the SSO login can be achieved by navigating to: https://yourplatform.eloomi.com/sso/log-in
Please make sure Activation Method from platform admin > settings > company details is set to "Instant"