Configuring SAML Authentication with ADFS

To configure ADFS for the platform, it is necessary to use a specific digital certificate for the tenant, which is provided by Senior when creating the tenant.

1. Connect to the Active Directory server and run the ADFS Management application;
2. On the menu, in the Trust Relationships folder, right-click the Relying Party Trusts folder, and then clickAdd Relying Party Trust…;
3. In the Add Relying Party Trust Wizard clickStart;
4. In the Select Data Source step, select the optionEnter data about the relying party manually and clickNext;
5. In the Specify Display Name step, in the fieldDisplay Name, enter SeniorX and clickNext;
6. In the Choose Profile step, keep the AD FS profile option selected and clickNext;
7. click inNext in the Configure Certificate step. The certificate is made available when the tenant is requested via SARA, an email is sent to the consultant with the link to download a .zip where the certificate is inside the SAML folder in .jks format (if you do not have the certificate or need it in other format, contact senior X Platform support);
8. In the Configure URL step, select the optionEnable support for the SAML 2.0 WebSSO protocol is atRelying party SAML 2.0 SSO service URL report https://platform.senior.com.br:9443/commonauth. Then clickNext;
9. In the Configure identifiers step,Relying party trust identifier report SeniorX and clickAdd. Then clickNext;
10. click inNext in the Configure Multi-factor Authentication Now? step;
11. In the Choose Issuance Authorization Rules step, keep the option selectedAllow all users to access the relying party and clickNext;
12. click inNext in the Ready to Add Trust stage;
13. In the Finish step, keep the option selectedOpen the Edit Claim Rules dialog for this relying party trust when the wizard closes and clickClose.

After these settings, the Edit Claim Rules for SeniorX screen will open:

1. On the Issuance Transform Rules tab, clickAdd Rule;
2. In the Add Transform Claim Rule Wizard, in the Choose Rule Type step, keep the Send LDAP Attributes as Claims option selected and clickNext;
3. In the Configure Claim Rule step:
   • Claim rule name: SAM-Account-Name -> User Name
   • attribute store : Active Directory
   • Mapping of LDAP attributes to outgoing claim types:
     • LDAP Attribute : SAM-Account-Name
     • Outgoing Claim Type :UserName
4. click inFinish
   • and add one more rule:
   C
   • laim rule name
   • : Display-Name -> Name
     attribute store
     • : Active Directory
     Mapping of LDAP attributes to outgoing claim types
     • :
     LDAP Attribute
     : Display-Name
   Outgoing Claim Type :Name
5. click inFinish
   • and add one more rule:
   C
   • laim rule name
   : User-Principal-Name -> Email Address
   • attribute store
     : Active Directory
     • Mapping of LDAP attributes to outgoing claim types
     :
     • LDAP Attribute
     : User-Principal-Name
   Outgoing Claim Type : E-Mail Address
6. click inFinish;
7. In the Choose Claim Rule step, add one more rule. InClaim rule template select Transform an Incoming Claim and clickNext;
8. In the Configure Claim Rule ste
   p:
   • Claim rule name
   : User Name -> Name ID
   • Incoming claim type
   :UserName
   • Outgoing claim type
   :NameID
9. click inFinish and close the Add Transform Claim Rule Wizard screen;
10. In the AD FS Management application, in the Relying Party Trusts folder, right-click SeniorX, and then clickProperties;
11. On the SeniorX Properties screen, on the Signature tab, clickAdd.. and select the certificate obtained with Senior;
12. On the Endpoints tab, clickAdd SAML...
    • and report
    • :
    • Endpoint type: SAML Logout
    • Binding: POST
    Trusted URL: enter the external ADFS URLResponse URL: https://platform.senior.com.br/commonauth
13. click inOK ;
14. click inApply is atOK To finish, go to ADFS settings.

Before starting to configure authentication on the senior X Platform, still in the AD FS Management application, in the Service folder, click on Claim Descriptions and note the values for Claim Type, claimsUsername,Email Address It isName. These values will be used for authentication on the platform.

1. Access the platform with the tenant administrator user;
2. Go to Technology > Administration > Tenant Management > Configure, select the tenant and clicksettings;
3. On the Authentication tab, change the authentication type to "SAML Authentication";
4. In SAML Settings, enter:
   • SAM
   • L request redirect URL: https://platform.senior.com.br/auth/LoginWithCodeServlet
   • Identity Provide
   • r Entity ID: https://<ADFS URL>/adfs/services/trust
   • Service Provider Ent
   ity ID : SeniorX (value previously defined in the ADFS configurationURL to login: https://<Customer ADFS URL>/adfs/lsURL to log out: https://<Customer ADFS URL>/adfs/ls/?wa=wsignout1.0
5. Under SAML User Data:
   • Claim that defines the user's username: claim type of claim User Name
   • Claim that defines the user's email : claim type of claim E-Mail Address
   • Claim that defines the user's full name : claim type of claim Name
   • Role that will be defined for new users: determine the role that the user will receive on their first login via ADFS
6. click inTo save to complete the settings.

To test the configuration, open another browser or an incognito tab in the same browser and access the platform's URL, entering the tenant's domain in the URL.

If the configuration is correct, a redirection will be automatically made to the ADFS login screen. When providing valid credentials, you will be redirected to the already authenticated senior X Platform. Confirm that all user data is correct according to your profile on the platform. If any attribute is incorrect, review the claims part, both in ADFS and in the senior X Platform.