Introduction:
This is an example of setting up Barco SAML-based Single Sign-On (SSO) with ADFS as your Identity Provider (IdP).
Note:
To find detailed steps using Barco Management Suite, see Quick start guide for Barco Single Sign-on.
Instructions:
- Locate the metadata export URL for ADFS
- Download FederationMetadata.xml file
- Start the Single Sign-On configuration on BMS
- Complete configuration on your IdP (ADFS)
1. Locate the metadata export URL for ADFS:
- Log in to the ADFS server and open the management console.
- In the ADFS folder, expand Service and click Endpoints.
- Locate the FederationMetadata.xml file.
2. Download FederationMetadata.xml file:
- Open the web-browser on your laptop and enter the URL (e.g.:https://localhost/FederationMetadata/2007-06/FederationMetadata.xml) to navigate to the FederationMedata.xml file on ADFS server.
- Download the FederationMedata.xml file to your laptop. This file will be used for BMS.
3. Start the Single Sign-On configuration on BMS:
- Navigate to the Single Sign-On settings page on Barco Management Suite.
- Select protocol as SAML v2.0.
- For your metadata, select the FederationMedata.xml file (downloaded in the procedure above) and click Upload.
- After the metadata has been uploaded, download the Barco metadata file by clicking the download button.
Note:
If the Barco metadata doesn’t start downloading, you may need to check your browser settings.
4. Complete configuration on your IdP (ADFS):
In this step, you need to use the Barco metadata file obtained from BMS to complete configuring the application on your IdP.
- Create Claims Provider Trust
- Create a Rule to Send Claims Using a Custom Rule
- Verify SAML response signature
- Message is signed with expected signature algorithm
Create Claims Provider Trust:
To add a new claims provider trust, using the ADFS Management snap-in, by automatically importing Barco SAML RP policy metadata.
- In Server Manager, click Tools and then select ADFS Management.
- Click Relying Party Trusts.
- Under Actions, click Add Relying Party Trust...
- Click Welcome and then click Start.
- Click Select Data Source and then click Import data about the relying party from a file. In Federation metadata file location, browse Barco metadata file (downloaded from BMS in above step 4 of the procedure Start the Single Sign-on configuration on BMS) and then click Next.
- Click Specify Display Name and enter the Display name as Barco (remember Display name for later use) and then click Next.
- Click Choose Access Control Policy and then click Next.
- Click Next.
- Click Next.
- Leave the default settings and click Close.
Create a Rule to Send Claims Using a Custom Rule:
- Select a Barco Claim Provider Trust and click Edit Claim Issuance Policy.
- Click Add Rule.
- Select Send LDAP Attributes as Claims and click Next.
- Configure claims rule.
Note: E-Mail-Addresses must be mapped with assertionSubjectName as outgoing claim type.
If above Email claim does not work, instead of E-Mail-Addresses map User-Principal-Name with assertionSubjectName.
- Click Finish
Verify SAML response signature:
Open PowerShell and run the below command, see Microsoft docs.
Get-ADFSRelyingPartyTrust
and make sure SamlResponseSignature set as MessageAndAssertion received in the output result.
SamlResponseSignature : MessageAndAssertionif SamlResponseSignature is not set as above then run following command, see Microsoft docs.
Set-AdfsRelyingPartyTrust -TargetName "Barco" -SamlResponseSignature MessageAndAssertion
Note: TargetName is the same Display name entered above, see the step 6 in the procedure Create Claims Provider Trust.
Message is signed with expected signature algorithm:
- Right-click on Barco and then click Properties.
- Click Advanced tab and select the algorithm you want to keep (SHA-256 is more secure).
- Make sure the same value is set in the Signature algorithm on BMS.
- Click Apply and then click OK.
