Single Sign On
This article applies to these plans:
- All users must have a first name, surname and email address as attributes within an Active Directory instance
- Must have a subscription plan with SSO enabled
- IDP supports SAML 2.0
- SSL certificate for IDP login and fingerprint for the certificate
How to Configure Single Sign On (SSO)
Phase 1: Add a Relying Party Trust1. In the AD FS Management console, select Relying Party Trusts, and then right-click to select Add Relying Party Trust and then click Start 2. In Select Data Source, select the last option Enter data about the relying party manually and then click Next >
- An XML file is provided on DicksoneOne.com if Importing the Data is preferred
- Please see Phase 4 for more info
Phase 2: Create Claims RulesThe claim rule editor will automatically open once you have created the trust 1. Create rule in Issuance Transform Rules by clicking Add Rule... 2. In Choose Rule Type you will select Send LDAP Attributes as Claims from the drop-down under Claim rule Template: 3. On the next screen Create a name in Claim rule name: Under Attribute store: select Active Directory from the drop-down. For Mapping of LDAP attributes to outgoing claim types: select E-Mail-Addresse,. Given-Name, Surname for both columns. 4. On the next screen click Apply and then OK
Phase 3: Adjust Trust SettingsSettings in your relying party trust may need adjustment 1. Open your newly added DicksonOne Relying Party Trust by double-clicking 2. In the Properties window, click on Advance, and the Secure hash algorithm: should be set to SHA-1 though SHA-256 is supported as well. 3.
A. Click on Endpoints and click add SAML as the new endpoint
B. Provide the following:
- Endpoint type: set to SAML Logout
- Binding: set to POST
- Trusted URL: Add the following string /adfs/ls/?wa=wsignout1.0 to your AD FS FQDN to like this https://[Your ADFS FQDN]/adfs/ls/?wa=wsignout1.0
- Response URL: should be left blank
- Click Okay
C. Click Apply and then OK
Phase 4: Get Started with SSO Configuration on DicksonOneSettings in your relying party trust may need adjustment
- DicksonOne SSO URL: Provided by Dickson
- Issuer Metadata URL: System generated
- Users' Metadata XML URL
- Part of Phase 1 step 7.
- Can be downloaded for use
- Consumer Service URL: System generated
- User for Error Handling
- Part of Phase 1 step 6.
- IDP Sign-On URL: User Provided
- IDP Logout URL: User Provided
- Should have been created in Phase 3 step 3 b.
- SHA1 or SHA 256 Certificate Fingerprint: User Provided
- Fingerprint must be from the Token Signing Certificate
- Force users to sign in through SSO? Allows the account owner to control if users should have to sing in with their AD credentials or if it is not forced users will be able to login with their DicksonOne email and password
FAQsWhat happens with user logins when SSO is forced?
- Users will have to login using their Active Directory (AD) credentials
- If the user has an email and password in DicksonOne, the user will not be able to login in and will see a message displayed Password-based login has been disabled for your account. Please sign in using your Single Sign-On identity provider.
- The user will have to click on Single Sign-On to be rerouted to their company's DicksonOne SSO login page
- Security settings will be managed by your company's group policy
- User Time out in account settings will be the only security option available