AD FS configuration for DESK SSO
Follow the examples below to configure DESK SSO using Active Directory Federation Services (AD FS) as the SAML identity provider (IdP).
Important: Use this IdP-specific help as part of the entire SAML configuration procedure for DESK SaaS.
Specify the metadata
-
On the Monitoring tab, specify the monitoring settings for the relying party trust.
- Relying party's federation metadata URL - We recommend that you specify the SSO DESK federation metadata URL:
https://sso.desk.com/sso/metadata - Monitor relying party - Selected.
- Automatically update relying party - Selected.
Monitoring tab example 
AlternativeIf you can't do the above (perhaps due to corporate policy), you need to download the metadata manually:
- Run the following command in PowerShell:
wget -Outfile desk_sso_metadata.xml https://sso.desk.com/sso/metadata - Update it for DESK SSO RelyingPartyTrust:
Update-AdfsRelyingPartyTrust -TargetIdentifier "<DESK_SSO_IDENTIFIER>" -MetadataFile 'desk_sso_metadata.xml'
- Relying party's federation metadata URL - We recommend that you specify the SSO DESK federation metadata URL:
-
On the Advanced tab, make sure the Secure hash algorithm is
SHA-256.Advanced tab example 
Configure claims mapping
To configure claims mapping
- Right-click
Sso DESK Relying Party TrustunderTrust Relationship. - Select
Edit Claims Rules....
Create Active Directory transformations
To create Active Directory transformations
-
Click
Add Rule.... -
Select
Send LDAP Attributes as Claims(the default option) and set values according to the following example values. -
Edit Rule - Email Attribute Claim:
- Claim rule name:
Email Attribute Claim - Attribute store:
Active Directory - Mapping of LDAP attributes to outgoing claim types:
- LDAP Attribute =
E-Mail-Addresses, Outgoing Claim Type =E-Mail Address
- LDAP Attribute =
Email Attribute Claim example 
- Claim rule name:
-
Edit Rule - First and Last Name:
- Claim rule name:
First and Last Name - Attribute store:
Active Directory - Mapping of LDAP attributes to outgoing claim types:
- LDAP Attribute =
Given-Name, Outgoing Claim Type =givenName - LDAP Attribute =
Surname, Outgoing Claim Type =sn
- LDAP Attribute =
First and Last Name example 
- Claim rule name:
-
Edit Rule - roles:
Token-Groups as SIDsis an example LDAP attribute that can be used for group mapping. Depending on your corporate LDAP, select the one that contains the LDAP user groups.- Claim rule name:
Group Mapping - Attribute store:
Active Directory - Mapping of LDAP attributes to outgoing claim types:
- LDAP Attribute =
Token-Groups as SIDs, Outgoing Claim Type =Group
- LDAP Attribute =
Roles example 
- Claim rule name:
Create Email to NameID transformation
To create an Email Address to NameID transformation
-
Click
Add Rule.... -
Select
Transform an Incoming Claim. -
Set the values according to this example.
- Claim rule name:
Email to Name ID - Incoming claim type:
E-Mail Address - Outgoing claim type:
Name ID - Outgoing name ID format:
Email - Pass through all claim values:
selected
Email to Name ID example 
- Claim rule name:
Final steps
-
Ensure that the SAML message will be signed:
Set-ADFSRelyingPartyTrust -TargetIdentifier "<DESK_SSO_IDENTIFIER>" -SamlResponseSignature "MessageAndAssertion" -
Ensure that the system clock's skew won't affect SAML request validation:
Set-ADFSRelyingPartyTrust -TargetIdentifier "<DESK_SSO_IDENTIFIER>" -NotBeforeSkew 2 -
Establish SAML authorization in DESK SSO.
You need to specify
First name attribute,Last name attribute, and theSecurity group claim attribute.
Usually these attributes for AD FS will be as follows, but this may vary depending on the AD FS version and settings.First name attributehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameLast name attributehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameSecurity group claim attributehttp://schemas.xmlsoap.org/claims/group