fbpx

Active Directory Federation Services (ADFS) is one of the leading Identity Provider (Idp) solutions in the market. This step by step guide will help you to configure your Spotinst account to be authenticated using the SAML protocol via ADFS.

Prerequisites:
  1. A Spotinst account and Admin permissions.
  2. A domain member Windows Server 2012R2/2016 with ADFS role installed.
Step 1: Add Relying Party Trust Wizard
    1. Open the Active Directory Federation Services (ADFS) Management Console
    2. Right Click ‘Relying Party Trusts’ and click ‘Add Relying Party Trust’

3. Choose ‘Claims-aware’ and click Start

4. Choose ‘Enter data about the relying party manually’ and click next

5. Choose a Name for the RP and click next

6. Click Next when asked for a certificate

7. Check the ‘Enable support for the SAML 2.0 WebSSO protocol’ option

8. Enter the following URL: https://console.spotinst.com/auth/saml

9. Add the same URL as the RPID (Relying party identity)

10. Click Next and then Finish to complete the wizard

11. Next, a new wizard will open, allowing you to configure the Claim Rules

12. Click Next when prompted for Rule Type

13. Enter a Name for the Claim Rule, Choose ‘Active Directory’ as the attribute store

14. Enter the following Attributes Mappings:

LDAP Attribute

Outgoing Claim
E-Mail-Address Email
Given-Name FirstName
Surname LastName

 

15. Click Finish to complete the wizard

 

Step 2: Getting and insurting the Metadate
  1. Download your ADFS metadata xml file which is located in:
    https://<yourADFSserver>/federationmetadata/2007-06/federationmetadata.xml
  2. Open the XML file for edit
  3. Locate the first <X509Certificate> tag and its closure </X509Certificate>, change it to <ds:X509Certificate> and </ds:X509Certificate> accordingly
  4. Login to your Spotinst account as an Admin.
  5. Click on the user icon on the top right side of the screen and click ‘settings’

  6. Click on the ‘Security’ tab on the top and then select ‘Identity Providers
  7. Click ‘BROWSE’, Select your metadata file and click ‘SAVE’
Step 3: Idp Initiated

To configure Idp Initiated SSO additional settings should be configured as followed:

  1. Login to your Spotinst account as an administrator
  2. Click on the user icon on the top right side of the screen and click ‘settings’
  3. Click on the ‘Security’ tab on the top and then select ‘Identity Providers’
  4. Make a copy of the Relay State value
  5. Connect to your ADFS Server
  6. Open Powershell with administrative permissions
  7. Run the following command to enable Idp Initiated SSO:
Set-ADFSProperties -EnableIdPInitiatedSignonPage $true
  • If running on Windows Server 2016, Run the following command to enable Relay state:
Set-ADFSProperties -EnableRelayStateForIDPInitiatedSignon $true
  • If running on Windows Server 2012R2:
    1. Open the following file for edit:
      %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config
    2. Locate the line:<microsoft.identityserver.web>
    3. Add the following line right after the <microsoft.identityserver.web> entry
<useRelayStateForIdpInitiatedSignOn enabled="true" />

8. Restart the Active Directory Federation Services Service

Idp initiated SSO URL:

  • RPID
    1. This value is the relying party identifier
    2. This value should be encoded
  • Nested RelayState
    1. This value is passed to the Relying Party as RelayState
    2. This value should be encoded
  • The URL query has 2 parts
    • To make things easy, this is a RelayState Generator which encodes and generates the URL based on the given parameters. Just insert the following:
      1. Idp URL: https://<yourADFSserver>/adfs/ls/idpinitiatedsignon.aspx
      2. RP URL: https://console.spotinst.com/auth/saml
      3. The Relay State that you have copied in step 4

Creating a Temporary Token
When creating a temporary token, the user credentials are being validated at the Idp.

To create a temporary token please run the following request: (Replace the ‘<>’ sections with your values)

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 
'username=<SpotinstUserName ie. myuser@company.com>
&adSamAccountName=<ADUserName ie. MyDomain\MyUser>
&password=<ADPassword>&grant_type=password&client_id=<YourClientID>
&client_secret=<YourClientSecret>' https://oauth.spotinst.io/token

Successful response:

{
"request": {
"id": "caa47a08-244e-4786-8bc9-dc85a2ce8df8",
"url": "/token",
"method": "POST",
"timestamp": "2017-06-22T12:23:33.568Z"
},
"response": {
"status": {
"code": 200,
"message": "OK"
},
"kind": "spotinst:oauth2:token",
"items": [
{
"accessToken": "<TOKEN>",
"tokenType": "bearer",
"expiresIn": 7199
}
],
"count": 1
}

Error Response:

{
"request": {
"id": "d8999e29-d9ea-4ce9-8ede-9394a43eb2db",
"url": "/token",
"method": "POST",
"timestamp": "2017-06-27T12:23:51.617Z"
},
"response": {
"status": {
"code": 401,
"message": "Unauthorized"
}
}

We hope that you’ve found this guide useful!