Product Manuals

This article applies to these plans:

Basic

Standard

Compliant

Single Sign On

Requirements

  • All users must have a first name, surname and email address as attributes within an Active Directory instance
  • Must have a subscription plan with SSO enabled
  • IDP supports SAML 2.0 
  • SSL certificate for IDP login and fingerprint for the certificate

How to Configure Single Sign On (SSO)

Phase 1: Add a Relying Party Trust

1. In the AD FS Management console, select Relying Party Trusts, and then right-click to select Add Relying Party Trust

and then click Start

2. In Select Data Source, select the last option Enter data about the relying party manually and then click Next >
  • An XML file is provided on DicksoneOne.com if Importing the Data is preferred 
  • Please see Phase 4 for more info

3. On the next screen Specify Display Name, enter a name you will recognize in  Display name: and click Next >

4. In Choose Profile, you will select AD FS profile which supports security token encryption and the SAML 2.0 protocol and then click Next >

5. In Configure Certificate leave the default values as is and click Next > 

6. In Configure URL, check the box Enable support for the SAML 2.0 WebSSO protocol and fill in the Relying party SAML 2.0 SSO service URL: with your Consumer Service URL found on your DicksonOne account (see more in Phase 4)

7. Configure Identifiers by placing your URL under Relying party trust identifier: and click Add and click Next > 

8. In Configure Multi-factor Authentication, select whichever applies to your organization

9.  For Choose Issuance Authorization Rules click Permit all users to access this relying party and then click Next >

10. In Ready to Add Trust, click Next > 

11. On the final Finish screen, check the box Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, and click Close

Phase 2: Create Claims Rules
The claim rule editor will automatically open once you have created the trust 

1. Create rule in Issuance Transform Rules by clicking Add Rule…

2. In Choose Rule Type you will select Send LDAP Attributes as Claims from the drop-down under Claim rule Template:

3. On the next screen Create a name in Claim rule name: Under Attribute store: select Active Directory from the drop-down. For Mapping of LDAP attributes to outgoing claim types: select E-Mail-Addresse,. Given-Name, Surname for both columns.

4. On the next screen click Apply and then OK

Phase 3: Adjust Trust Settings
Settings in your relying party trust may need adjustment 

1. Open your newly added DicksonOne Relying Party Trust by double-clicking 

2. In the Properties window, click on Advance, and the Secure hash algorithmshould be set to SHA-1 though SHA-256 is supported as well. 

3. 

A. Click on Endpoints and click add SAML as the new endpoint 

B. Provide the following:

  • Endpoint type: set to SAML Logout
  • Binding: set to POST
  • Trusted URL: Add the following string /adfs/ls/?wa=wsignout1.0 to your AD FS FQDN to like this https://[Your ADFS FQDN]/adfs/ls/?wa=wsignout1.0
  • Response URL: should be left blank
  • Click Okay 

C. Click Apply and then OK

Phase 4: Get Started with SSO Configuration on DicksonOne
Settings in your relying party trust may need adjustment 
  1. DicksonOne SSO URL: Provided by Dickson 
  2. Issuer Metadata URL: System generated
    • Users’ Metadata XML URL
    • Part of Phase 1 step 7.
    • Can be downloaded for use
  3. Consumer Service URL: System generated
    • User for Error Handling 
    • Part of Phase 1 step 6. 
  4. IDP Sign-On URL: User Provided
  5. IDP Logout URL: User Provided
    • Should have been created in Phase 3 step 3 b.
  6. SHA1 or SHA 256 Certificate Fingerprint: User Provided
    • Fingerprint must be from the Token Signing Certificate 
  7. Force users to sign in through SSO? Allows the account owner to control if users should have to sing in with their AD credentials or if it is not forced users will be able to login with their DicksonOne email and password
FAQs
What happens with user logins when SSO is forced?
  • Users will have to login using their Active Directory (AD) credentials 
  • If the user has an email and password in DicksonOne, the user will not be able to login in and will see a message displayed Password-based login has been disabled for your account. Please sign in using your Single Sign-On identity provider.
  • The user will have to click on Single Sign-On to be rerouted to their company’s DicksonOne SSO login page 
What happens with security when SSO is forced?
  • Security settings will be managed by your company’s group policy
  • User Time out in account settings will be the only security option available 

Still need help?

Call 630.543.3747 today or