Salesforce

Hubble - Configure Single Sign-on with AD FS Idp

Printable View
« Go Back
Information
Hubble - Configure Single Sign-on with AD FS Idp
Steps to be taken to configure Single Sign-on with AD FS Identity provider.
 
Note:
  • This setup might fail without parameter values that are customized for your organization. Please use the Microsoft AD FS to add a Relying Party with the values that are specific for your organization.
  • Please Note that AD FS only supports Relying Party Trusts which use SSL encryption. This means your Hubble URL must begin with HTTPS.

Configuration Steps

Supported Features

The AD FS/Hubble SAML integration currently supports the SP-initiated SSO integration only.

AD FS Steps

  1. Download the AD FS Token-decrypting Certificate.
  2. Save the certificate into the Insight\YellowBoxWeb\Config folder on the Hubble Web Servers e.g. C:\Insight\YellowBoxWeb\Config\ADFS.cer
  3. In AD FS control panel select the Relying Party Trusts section and select Add Relying Party Trust
    1. Select Claims aware and Start
    2. Select Enter data about the relying party manually and click Next
    3. Enter a Display name and any Notes you require
    4. click Next on the Configure Certificate section. This could be configured but is not required. See the Configure Relaying Party Certificate section for more information.
  4. Select the Enable support for the SAML 2.0 WebSSO protocol option
    1. Enter the Relaying Party SAML 2.0 SSO serivce URL base on the Assertion Consumer Service URL provided in the Hubble sso_config e.g. https://hubble.com:7001/ExternalLogin/AssertionConsumerService
    2. click Next
  5. Add the Relying party trust identifier. This is based on the Service Name entered in the Hubble sso_config e.g. http://SecurityTokenService 
  6. Select the appropriate access control policy and Click Next
  7. Click next again
  8. Click Close leaving the default to configure claims issuance policy for this application
  9. Select add Rule
  10. Select Send LDAP Attributes as Claims and click Next
  11. Create the following rule
    1. name e.g. Email Attribute
    2. Attribute store: Active Directory
    3. Mapping of LDAP attributes to outgoing claim types
      1. LDAP Attribute: E-Mail-Addresses
      2. Outgoing Claim Type: E-mail Address
    4. click Finish
  12. Configure Hubble

Hubble Configuration Steps

These instructions need to be completed on each Hubble Web Server

  1. Run sso_config.ps1 from PowerShell. This file is located on the Web Server e.g. C:\Insight\sso_config.ps1
  2. Assuming you use the default configuration populate the file with the following settings or adjust for your configuration:
    1. ConfigFile: C:\insight\YellowBoxWeb\Config\ssoconfig.json
    2. YbconfigFile: C:\insight\YellowBoxWeb\Config\YellowBox.config
    3. Edit logging Configuration? Hit Enter to accept n
    4. Allowed Hosts: Hit Enter to accept *
    5. Service Name: http://SecurityTokenService
    6. Service description: Hit Enter to accept Hit Enter to accept
    7. Assertion Consumer Service URL: Hit Enter to accept the default e.g. https://hubble.com:7001/ExternalLogin/AssertionConsumerService
      1. Note: AD FS Requires the URL to start HTTPS, if it doesn't then please contact your IT team to add an SSL certificate to the Web Servers
    8. Partner Namehttp://mycompany.domain/adfs/services/trust Change mycompany.domain to your AD FS domain
    9. Partner Description: Hit Enter to accept the default or enter a description
    10. Partner SSO Service Urlhttps://mycompany.domain/adfs/ls/ Change mycompany.domain to your AD FS domain
    11. Certificate Path: Enter C:\Insight\YellowBoxWeb\Config 
    12. Partner Namehttp://mycompany.domain/adfs/services/trust Change mycompany.domain to your AD FS domain (this must match the Partner Name in Step h)
  3. The SecurityServiceTokenEnabled feature has been introduced to enable token-based authentication for services integrated with Single Sign-On (SSO). To configure this, add or update the following keys in "C:\Insight\YellowBoxWeb\Config\YellowBox.config":

    <!-- Security Token Service -->
    <add key="SecurityTokenServiceUrl" value="" />
    <add key="SecurityTokenServiceEnabled" value="true" />

    Set the SecurityTokenServiceUrl to the URL obtained in step 1. After making these changes, restart the Hubble web service in IIS.

Configure Relaying Party Certificate (Optional)

An organization may choose to encrypt the Relay traffic. this is achieved by adding the private key to the webserver and the public key to AD FS shown in the following steps:

Hubble

  1. Add your pfx Certificate to C:\Insight\YellowBoxWeb\Config

  2. Edit the C:\Insight\YellowBoxWeb\Config\ssoconfig.json using a text editor and add the following certificate details after the line for "AssertionConsumerServiceUrl" changing the file name to your file name and password. 

    1
    2
    3
    4
    5
    6
    ,"LocalCertificates": [
    {
    "FileName": "C:\\Insight\\YellowBoxWeb\\Config\\LocalPrivateKEY.pfx",
    "Password": "password"
    }
    ]
  3. Restart the securitytokenservice, insightybservice and recycle the iis pool. This can be done by re-running the sso_config.ps1 script

AD FS add Relay Party Certificate

  1. Select the Encryption Tab on the Relying Party Trusts within AD FS and choose the .cer file which matched the private key you added to Hubble.
  2. Add the same file to the Signature tab

 
Hubble
Hubble - Configure Single Sign-on with AD FS Idp
Additional Detail
000006025
Article
Configure-Single-Sign-on-with-AD-FS-Idp
Assignments
 
 
 
 
Assignment, cont.
Language
English
Checked
System Information
1/6/2020 2:29 PM
12/13/2024 11:54 AM
Neha Verma
12/13/2024 11:54 AM
Published
1/6/2020 3:19 PM
12/13/2024 11:54 AM
Powered by