Single Sign-On with Sage People and Microsoft Active ... · • Microsoft Active Directory Federation Services (AD FS) 2.0. Windows Serv er 2008 R2 includes AD FS 1.0, which does

SP-SSO-XXX-IG-201901--R001.93

Single Sign-On with Sage People and Microsoft Active Directory Federation Services 2.0 Version 1.93

© Sage 2019 2

© Sage 2019. All rights reserved.

This document contains information proprietary to Sage and may not be reproduced, disclosed, or used in whole or in part without the written permission of Sage.

Software, including but not limited to the code, user interface, structure, sequence, and organization, and documentation are protected by national copyright laws and international treaty provisions. This document is subject to U.S. and other national export regulations.

Sage takes care to ensure that the information in this document is accurate, but Sage does not guarantee the accuracy of the information or that use of the information will ensure correct and faultless operation of the service to which it relates. Sage, its agents and employees, shall not be held liable to or through any user for any loss or damage whatsoever resulting from reliance on the information contained in this document.

Nothing in this document alters the legal obligations, responsibilities or relationship between you and Sage as set out in the contract existing between us.

This document may contain screenshots captured from a standard Sage system populated with fictional characters and using licensed personal images. Any resemblance to real people is coincidental and unintended.

All trademarks and service marks mentioned in this document belong to their corresponding owners.

SP-SSO-XXX-IG-201901--R001.93

Contents

© Sage 2019 3

Contents

Background 4

Prerequisites 5

Overview 6

Procedure 7 Installation 8 Configuration 9

Sage People Configuration 9 AD FS 2.0 Configuration 14

SP-Initiated Login 15

Testing 16

Logging in to Sage People Using Single Sign-On 17 Setting Up Chrome for Single Sign-On 18 Setting Up Firefox for Single Sign-On 23 Setting Up Internet Explorer for Single Sign-On 25

References and more information 29

Troubleshooting 30 Internet Information Services 31 Active Directory Federation Services 32 Service Provider Initiated Login 35

Appendix: Browser handling of SAML requests 36 Step 1 37 Step 2 39 Step 3 42

© Sage 2019 4

Background Authentication for multiple cloud based services is greatly simplified by using single sign-on (SSO) technologies. SSO enables users to log in at a single location and access a range of services without re-authenticating.

Since its release in 2005, the Security Assertion Markup Language (SAML) version 2.0 has established itself as the dominant standard for cross-domain web single sign-on in the enterprise space, with salesforce.com introducing support in the Winter '09 release (October 2008) and Microsoft in Active Directory Federation Services (AD FS) version 2.0 in May 2010.

You can now configure a seamless single sign-on from a Microsoft environment to Sage People without a third-party federation product.

Sage People supports use of Okta Cloud Connect for Salesforce.com, a solution that offers AD integration and single sign-on authentication for Salesforce users.

If you are already using Okta, Sage People Support can help with configuration settings to ensure seamless operation.

For more information about Okta Cloud Connect for Salesforce.com, go to https://www.okta.com/

https://www.okta.com/

© Sage 2019 5

Prerequisites You will need:

• Microsoft Windows Server 2008 R2 Enterprise or Datacenter edition, NOT Standard edition. If you are configuring this environment for an evaluation, you can download a 180 day trial version herehttp://www.microsoft.com/en-us/download/details.aspx?id=11093.

• Microsoft Active Directory Federation Services (AD FS) 2.0. Windows Server 2008 R2 includes AD FS 1.0, which does not support SAML 2.0. If you have AD FS 1.0, download and install the AD FS 2.0 RTW (release to web) package. AD FS is a Microsoft Management Console (MMC) snap-in.

• Microsoft Update Rollup 3 for AD FS 2.0, available to download from Microsoft here:http://support.microsoft.com/kb/2790338 Update Rollup 3 includes fixes for known issues and enables multiple SSO instances to use the same token signing certificate.After installing the rollup make sure you download and execute the RelaxedRequestSigningCertsv2.sql script as documented in the Knowledge Base article.

• A Sage People environment, commonly known as an org.

The procedures described in this guide are effective but take time to complete, test and validate. You must allow enough time before attempting to use Sage People with single sign-on in a full production environment.

We strongly recommend scheduling the project to complete the process as far as successful login at least four weeks before go-live. This allows enough time:

• To resolve support issues.

• For adequate testing.

• To synchronize data with Sage People.

http://www.microsoft.com/en-us/download/details.aspx?id=11093

© Sage 2019 6

Overview SAML 2.0 defines several roles for parties involved in single sign-on:

The user authenticates (logs in) to the identity provider (IdP) - in our case, this is AD FS 2.0. The user can then access a resource at one or more service providers (SP, and also known as relying parties) without needing to log in at each service provider.

The process for an IdP-initiated login into Sage People is simplified as:

1. The user authenticates to the AD FS server using Integrated Windows Authentication (Kerberos tokens over HTTP) and requests login to Sage People

2. AD FS returns a SAML assertion to the user’s browser

3. The browser automatically submits the assertion to Sage People, which logs the user in.

For SP-initiated login, go to SP-Initiated Login (see page 15).

© Sage 2019 7

Procedure

This icon is used to indicate points in the procedure where additional information is available in Troubleshooting (see page 30). Each icon is hyperlinked; use it to jump to the relevant point in Troubleshooting.

Procedure Installation

© Sage 2019 8

Installation

1. Install Windows Server 2008 R2 Enterprise or Datacenter edition, NOT Standard edition.

If you are re-installing Windows Server R2, make sure that the environment is clean. Traces of previous AD FS installations, such as an existing adfs directory or configuration database will stop successful re-installation.

If you are running an Active Directory forest with domain controllers running on earlier functional levels, to ensure compatibility leave the Windows Server 2008-based domain controller at its default level. The 2008 domain controller then runs at the lowest functional level that is possible in your environment. After the domain functional level is raised, domain controllers running earlier operating systems cannot operate in the domain.

2. Create a friendly DNS name for AD FS and point it to your adfs server. In this article, we'll use adfs.sagepeopledev.com.

Typically, this is the CNAME for your adfs server. If you want to use a different name, attach another IP address to the server and create a DNS A record to map the hostname to this IP address to avoid server authentication errors.

3. Download and install the AD FS 2.0 server role. This automatically installs other pre-requisite Windows components including IIS.

4. In the IIS manager create an SSL certificate for your friendly DNS name. Give the certificate a bit length of 2048. Do not create the certificate as self-signed.

5. On the client machine, install: o The SSL certificate o The Certificate Authority’s root certificate

6. Run through the AD FS Server configuration wizard:

a. Create a new Federation Service

b. Select Stand-alone Federation Server

c. Select the certificate that you created for your friendly DNS name

7. Add the friendly DNS name for the AD FS server to the client machine as a local intranet website through Control Panel > Internet Options > Security. Use the form https://adfs.sagepeopledev.com.

Procedure Configuration

© Sage 2019 9

Configuration To build a federation between two parties you must establish a trust relationship by exchanging metadata. Manually enter the metadata for the AD FS 2.0 instance into the Sage People configuration. Sage People metadata is downloaded as an XML file which AD FS 2.0 can consume.

Sage People Configuration You must configure:

• The domain (see page 9).

• SAML 2.0 setup (see page 10).

You can also configure your login page to select an authentication service as an identity provider (see page 13).

Configure My Domain The Sage People My Domain (https://login.salesforce.com/help/doc/en/domain_name_overview.htm) feature enables you to select a custom domain name for your application. A My Domain URL looks like https://customer.my.salesforce.com/ for a production org, or https://customer-developer-edition.my.salesforce.com/ for a Developer Edition. You cannot configure My Domain for a Sage People trial org; to test, you must use a live production org or a Force.com development org.

A benefit of configuring My Domain is that it enables support for SP-initiated single sign-on, improving the user experience, and allowing users to access 'deep links' into their environment via SSO.

Configure My Domain in Setup > Company Profile > My Domain. You need to complete the process of configuring, testing and deploying My Domain (https://login.salesforce.com/help/doc/en/domain_name_setup.htm \o) for SP-initiated SSO to work correctly.

https://login.salesforce.com/help/doc/en/domain_name_overview.htm%20o%20https:/login.salesforce.com/help/doc/en/domain_name_overview.htmhttps://login.salesforce.com/help/doc/en/domain_name_setup.htm%20/o


© Sage 2019 10

Configure SAML 2.0 1. In the AD FS 2.0 MMC snap-in, select the certificates node and double click the token-signing certificate to

view it:

2. Click the Details tab

3. Click Copy to File

4. Save the certificate in DER format.

5. On the AD FS server find and record your Federation Metadata URL:

a. Open the AD FS MMC

b. Select Service > Endpoints > Metadata > Type:Federation Metadata:

6. Open the Federation Metadata file:

o In a browser address bar enter


© Sage 2019 11

7. In the Federation Metadata file find the EntityDescriptor ID line and record the attribute labeled entityID:

8. In Sage People, go to Setup > Administration Setup > Security Controls > Single Sign-On Settings

9. Click Edit

Sage People displays the Single Sign-On Settings page.

10. Check SAML Enabled:

11. Click Save.

Sage People displays the Single Sign-On Settings page with the SAML Single Sign-On Settings related list.

12. Click New:


© Sage 2019 12

Sage People displays the SAML Single Sign-On Setting Edit page:

13. Complete the fields as follows:

Name A name for this service. For example Sage People SSO

API Name Automatically created by Sage People based on Name.

SAML Version 2.0. Not editable.

User Provisioning Enabled Not checked.

Issuer Enter the attribute labeled entityID displayed in your Federation Metadata. Issuer is case sensitive.

Entity ID EntityID forms the first part of the URL of your Sage People org, up to and including the ...cloudforce.com. After configuring MyDomain, login to Sage People and capture your EntityID from the address bar. Confusingly, this is not the attribute labeled entityID displayed in your Federation Metadata.

Identity Provider Certificate Browse and select the token-signing certificate you exported earlier

Signing Certificate Default Certificate.


© Sage 2019 13

Assertion Decryption Certificate

Assertion not encrypted.

SAML Identity Type Assertion contains the Federation ID from the User object.

SAML Identity Location Identity is in the NameIdentifier element of the Subject statement

Identity Provider Login URL The URL of your AD FS SAML endpoint, to which Sage People sends SAML requests for SP-initiated login. You can find the URL in the AD FS MMC at Endpoints > Token Issuance > Type:SAML 2.0/WS-Federation. In the example: https://adfs.sagepeopledev.com/adfs/ls/ Note that the Identity Provider Login URL field is case sensitive.

Identity Provider Logout URL Enter a URL to which the user will be sent after they log out. For example: http://intranet.mycompany.com/

Custom Error URL Leave blank.

14. Click Save to save the settings and download the metadata xml file.

Configure Login Page When you have configured My Domain and SAML 2.0 you can configure your login page to select an authentication service as an identity provider.

1. Go to Setup > Domain Management > My Domain.

2. Under Login Page Branding, click Edit

Sage People displays the Login Page Branding page. This page lists the authentication services available to you for selection:

3. Under Authentication Service select the name of the service you have just configured.

4. Make any other changes you want to the branding.

5. Click Save.


© Sage 2019 14

AD FS 2.0 Configuration 1. Open the AD FS 2.0 MMC snap in and Add a Trusted Relying Party:

a. Select Data Source: Import data about a relying party from a file. Browse to the XML you downloaded from Sage People

b. Display Name: Give the trust a display name, for example Sage People Test

c. Select Issuance Authorization Rules: Permit all users to access this relying party

d. Click Next to accept the defaults

e. Open Edit Claim Rules Dialog: Checked 2. In the claim rules editor click the Issuance Transform Rules tab

3. Add a new rule:

Claim Rule Template Send LDAP Attributes as Claims.

Claim Rule Name For testing use the User Principal Name (UPN) as NameID. Enter: Send UPN as NameID. In production, use an attribute with a value that is unlikely to change over time such as the user’s email address or employee ID. Any change in the value will break SSO for that user. If you change Claim Rule Name here you must pass through the new value by specifying it in the AD FS MMC at: Trust Relationships > Claims Provider Trusts > Acceptance Transform Rules

LDAP Attribute User Principal Name

Outgoing Claim Type Name ID

4. Click Finish.

© Sage 2019 15

SP-Initiated Login IdP-initiated login typically works by setting up a link on the company intranet that users click to get access to Sage People. SP-initiated login happens when a user clicks a direct link to Sage People.

If you configured a My Domain entity ID in the Force.com SAML settings, for example, https://testinfo-developer-edition.my.salesforce.com, users can go to URLs in that domain and be automatically redirected to AD FS for authentication.

For SP-initiated login to work, you must set AD FS Secure Hash Algorithm parameter to SHA-1, because Sage People uses the SHA-1 algorithm when signing SAML requests, and AD FS defaults to SHA-256:

• Go to AD FS trust properties for the Sage People relying party under Advanced:

© Sage 2019 16

Testing To test your configuration, set the Federation ID of a Sage People user to the UPN of your own AD account and attempt to login:

• For SP-initiated login, assuming you configured a 'My Domain' entity ID (see page 9), you can just go straight to it, for example https://testinfo-developer-edition.my.sagepeople.com.

• For IdP-initiated login, you must use the AD FS login URL and specify the loginToRp parameter as the Sage People SAML entity ID, for example: https://adfs.sagepeopledev.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://saml.sagepeople.com

In either case, the browser should follow a chain of redirects, ultimately logging you in to Sage People.

• If you get a Sage People login error use the SAML assertion validator tool on the Sage People single sign-on configuration page. It displays the results of the last failed SAML login.

• If you get an error from AD FS, check the AD FS logs in Server Manager\Diagnostics\Applications and Services Logs\AD FS 2.0\Admin.

If you configured a My Domain entity ID, SP-initiated login will work for deep-links. Bookmark a link from deep inside Sage People then log out. Reload your browser and select the bookmark. You should be seamlessly redirected to your IdP, authenticated, and then redirected back to the bookmarked link.

© Sage 2019 17

Logging in to Sage People Using Single Sign-On

When Sage People has been implemented using single sign-on technology, use the web address for your Sage People site and your company provided single sign-on credentials to get access to the Sage People system.

Add the Sage People start page to your browser Favorites or Bookmarks to get there quickly and easily.

To avoid having to log in separately to Sage People every time, you can set up your browser to take full advantage of single sign-on. Instructions differ depending on the browser you are using.

Logging in to Sage People Using Single Sign-On Setting Up Chrome for Single Sign-On

© Sage 2019 18

Setting Up Chrome for Single Sign-On 1. Open Google Chrome.

2. Click Customize… and select Settings from the drop down:

Chrome displays the Settings tab.

3. At the bottom of the window, click Show advanced settings… :

4. In the Network section, click Change proxy settings…

Chrome displays the Internet Properties dialog.


© Sage 2019 19

5. Click the Security tab and click Local intranet:

6. Click Sites:

Chrome displays the Local intranet dialog:


© Sage 2019 20

7. Click Advanced.

Chrome displays the Local intranet Advanced dialog.

8. Enter the server url in the Add… field using the form https://Win2k8Dev.sagepeopledev.com and click Add:

Chrome adds the sites to the list of Websites in the dialog:

9. Click Close to close the Local intranet Advanced dialog.

10. Click OK to close the Local intranet dialog and return to the Internet Options dialog.

11. In the Internet Options dialog click Trusted sites and click Sites:

Chrome displays the Trusted sites dialog.


© Sage 2019 21

12. Enter https://testsso99-developer-edition.my.salesforce.com in the Add… field and click Add:

Chrome adds the site to the list of Websites in the dialog:

13. Click Close to close the Trusted sites dialog and return to the Internet Options dialog.


© Sage 2019 22

14. In the Internet Options dialog with Trusted sites still selected, click Custom level…:

Chrome displays the Security Settings – Trusted Sites Zone dialog.

15. Scroll through the list of Settings and click the radio button Automatic logon with current user name and password:

16. Click OK to close the Security Settings – Trusted Sites Zone dialog.

17. Click OK to close the Internet Options dialog.

You can now log in to SSO using the link: https://testsso99-developer-edition.my.salesforce.com

Logging in to Sage People Using Single Sign-On Setting Up Firefox for Single Sign-On

© Sage 2019 23

Setting Up Firefox for Single Sign-On 1. Open Firefox.

2. In the Address bar enter:

about:config

…and press Enter.

Firefox displays a warning message:

3. Click I’ll be careful, I promise!

Firefox displays the list of configuration preferences for your browser.

4. In the Search box enter:

network.negotiate

…to focus the list of preference names.

5. Double click on the preference name:

network.negotiate-auth.trusted-uris

Firefox opens an Enter string value dialog.

6. In the Enter string value dialog enter:

https://Win2k8Dev.sagepeopledev.com

7. Click OK

Firefox adds the address as a value:

8. Close the about:config browser window.


Logging in to Sage People Using Single Sign-On Setting Up Firefox for Single Sign-On

© Sage 2019 24

The first time you log in to SSO after setting up your browser Firefox may display a warning message:

If this occurs:

1. Click I Understand the Risks.

2. Click Add Exception…

Firefox displays a confirmation dialog:

3. Check Permanently store this exception.

4. Click Confirm Security Exception.

Logging in to Sage People Using Single Sign-On Setting Up Internet Explorer for Single Sign-On

© Sage 2019 25

Setting Up Internet Explorer for Single Sign-On 1. Open Internet Explorer.

2. Go to Tools and select Internet Options:

Internet Explorer displays the Internet Options dialog.

3. Click the Security tab and click Local intranet:


© Sage 2019 26

4. Click Sites:

Internet Explorer displays the Local intranet dialog:

5. Click Advanced.

Internet Explorer displays the Local intranet Advanced dialog.

6. Enter the server url in the Add… field using the form https://Win2k8Dev.sagepeopledev.com and click Add:

Internet Explorer adds the sites to the list of Websites in the dialog:


© Sage 2019 27

7. Click Close to close the Local intranet Advanced dialog.

8. Click OK to close the Local intranet dialog and return to the Internet Options dialog.

9. In the Internet Options dialog click Trusted sites and click Sites:

Internet Explorer displays the Trusted sites dialog.

10. Enter https://testsso99-developer-edition.my.salesforce.com in the Add… field and click Add:

Internet Explorer adds the site to the list of Websites in the dialog:

11. Click Close to close the Trusted sites dialog and return to the Internet Options dialog.


© Sage 2019 28

12. In the Internet Options dialog with Trusted sites still selected, click Custom level…:

Internet Explorer displays the Security Settings – Trusted Sites Zone dialog.

13. Scroll through the list of Settings and click the radio button Automatic logon with current user name and password:

14. Click OK to close the Security Settings – Trusted Sites Zone dialog.

15. Click OK to close the Internet Options dialog.


© Sage 2019 29

References and more information This document draws on the following source material:

• The developerforce wiki article:https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_about.htm

• Rhys Goodwin’s Weblog:

http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/

For more information on:

• AD FS 2.0 diagnostics see the MSDN Claims-Based Identity Bloghttp://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx

• AD FS 2.0 RTW (release to web) download:

http://www.microsoft.com/en-us/download/details.aspx?id=10909

• Kerberos SPNs see Active Directory and Kerberos SPNs Made Easyhttp://blog.rhysgoodwin.com/windows-admin/active-directory-and-kerberos-spns-made-easy/ \o.

• Microsoft Windows Server 2008 R2:

http://www.microsoft.com/en-gb/server-cloud/windows-server/2008-r2-overview.aspx

http://wiki.developerforce.com/page/single_sign-on_with_force.com_and_microsoft_active_directory_federation_serviceshttp://wiki.developerforce.com/page/single_sign-on_with_force.com_and_microsoft_active_directory_federation_serviceshttp://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/http://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspxhttp://www.microsoft.com/en-us/download/details.aspx?id=10909http://blog.rhysgoodwin.com/windows-admin/active-directory-and-kerberos-spns-made-easy/%20/ohttp://www.microsoft.com/en-gb/server-cloud/windows-server/2008-r2-overview.aspx

© Sage 2019 30

Troubleshooting This section provides solutions for issues that you may experience during the setup process described in this guide.

This icon is used throughout this guide to indicate points where additional information is available in this section. Each icon is hyperlinked; use it to jump to the relevant point in this section.

Click this icon at the end of each section to return to the main guide.

Troubleshooting Internet Information Services

© Sage 2019 31

Internet Information Services

IIS001 What happens

When trying to start a web site in the IIS MMC snap-in you get the error message:

The process cannot access the file because it is being used by another process

Why

• There may be a conflict with another process using port 80 or port 443, the ports IISuses by default for TCP (port 80) and SSL (port 443).

• The ListenOnlyList registry subkey is not configured correctly on the computerrunning IIS.

What to do

This issue is covered in a Microsoft knowledge base article: http://support.microsoft.com/kb/890015

1. Use Netstat.exe to see if another process is using port 80 or port 443.

2. If there is no port conflict, examine the ListenOnlyList registry subkey and make any changes required as described here:http://support.microsoft.com/kb/890015

http://support.microsoft.com/kb/890015http://support.microsoft.com/kb/890015

Troubleshooting Active Directory Federation Services

© Sage 2019 32

Active Directory Federation Services

ADFS001 What happens

When the installer tries to register a service principal name (SPN) you get an error message.

Why

Integrated Windows Authentication between the browser and the AD FS IIS instance is unable to work correctly with the automatically created SPN.

What to do

Manually create a Kerberos SPN for the DNS name. Use Command Prompt to enter:

setspn -a HOST/adfs.sagepeopledev.com testzone\AD FSSVR01 setspn -a HOST/adfs testzone\AD FSSVR01


© Sage 2019 33


During AD FS configuration you get this message:

Why

An adfs directory already exists, probably from a previous installation. The adfs directory hosts the AD FS configuration database, which must also be deleted.

What to do

Exit the AD FS configuration wizard and delete the directory. This action detects the underlying database and restarts the Federation Server Configuration Wizard, which now offers you the option of deleting the configuration database:

Check Delete database and click Next to resume the Configuration Wizard.


© Sage 2019 34


The event log displays errors relating to Certificate Revocation List (CRL) checks failing when the AD FS server cannot connect to the internet.

Why

The AD FS server must connect to the internet in order to download the full signing certificate chain from the certificate provider.

What to do

Turn off CRL checking for AD FS by opening Powershell as Administrator and running the script:

Add-PSSnapin Microsoft.Adfs.PowerShell Set-ADFSRelyingPartyTrust -TargetName "YourRelyingPartyDisplayName" -SigningCertificateRevocationCheck None

Troubleshooting Service Provider Initiated Login

© Sage 2019 35

Service Provider Initiated Login

SPIL001 What happens

The AD FS event log displays the message:

Event ID: 378 SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

Why

The secure hash algorithm is not set to SHA-1

What to do

Go to the SalesForce Sandbox Properties dialog and set the secure hash algorithm to SHA-1

© Sage 2019 36

Appendix: Browser handling of SAML requests

SP-Initiated login has the most steps and demonstrates SAML and federation at its best. The HTTP protocol messages show you exactly what’s happening at each step. You can use a tool such as ieHTTPheaders or Fiddler2 to capture these messages for yourself, but note that Fiddler2 interferes with Integrated Windows Authentication to IIS so you’ll need to turn off extended protection on the /adfs/ls/ virtual directory if you want to try this, otherwise your browser won’t authenticate with AD FS and you’ll see event 4625 with error 0xc000035b in the Windows security log on the AD FS server.

In the interests of clarity, some extraneous HTTP headers are omitted and long strings of base 64 encoded data and sensitive identifiers are replaced by ellipses.

Appendix: Browser handling of SAML requests Step 1

© Sage 2019 37

Step 1 The user clicks a deep link to a Force.com page; in our example, it's https://customer-developer-edition.my.salesforce.com/home/home.jsp. The browser requests the page and Force.com renders a page containing JavaScript to redirect the browser to the Force.com SAML request generator.

The SAML request generator creates a SAML request for the IdP by sending an HTML form with hidden fields back to the browser.


© Sage 2019 38

It then uses JavaScript to automatically submit the form to the IdP SAML endpoint. Note the text in the element instructing the user to click the 'Continue' button to proceed.

You can decode the SAMLRequest using a tool such as the SAML 2.0 Debugger (https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php \o https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php):

https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php%20o%20https:/rnd.feide.no/simplesaml/module.php/saml2debug/debug.phphttps://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php%20o%20https:/rnd.feide.no/simplesaml/module.php/saml2debug/debug.php


© Sage 2019 39

Step 2 The browser submits the HTML form containing the SAML request to the AD FS SAML endpoint:

Since we are using Integrated Windows Authentication, AD FS redirects the browser to the /auth/integrated/ directory:

Finally, the user is authenticated using Integrated Windows Authentication, comprising several HTTP request/response exchanges, and AD FS serves up a SAML response.


© Sage 2019 40

Again, the SAML message is returned to the browser in an HTML form which is then submitted to the Force.com SAML endpoint using JavaScript.


© Sage 2019 42

Step 3 The browser submits the HTML form which contains the SAML response to the Force.com SAML endpoint which verifies the SAML assertion, logs the user in and redirects the browser to the original requested URL.


© Sage 2019 43

Single Sign-On with Sage People and Microsoft Active Directory Federation Services 2.0BackgroundPrerequisitesOverviewProcedureInstallationConfigurationSage People ConfigurationConfigure My DomainConfigure SAML 2.0Configure Login Page

AD FS 2.0 Configuration

SP-Initiated LoginTestingLogging in to Sage People Using Single Sign-OnSetting Up Chrome for Single Sign-OnSetting Up Firefox for Single Sign-OnSetting Up Internet Explorer for Single Sign-On

References and more informationTroubleshootingInternet Information ServicesActive Directory Federation ServicesService Provider Initiated Login

Appendix: Browser handling of SAML requestsStep 1Step 2Step 3

Documents

Single Sign-On with Sage People and Microsoft Active ... · • Microsoft Active Directory Federation Services (AD FS) 2.0. Windows Serv er 2008 R2 includes AD FS 1.0, which does