AD FS configuration for DESK SSO
Follow the examples below to configure DESK SSO using Active Directory Federation Services (AD FS) as the SAML identity provider (IdP).
Important: Use this IdP-specific help as part of the entire SAML configuration procedure for DESK SaaS.
Specify the metadata
-
On the Monitoring tab, specify the monitoring settings for the relying party trust.
- Relying party's federation metadata URL - We recommend that you specify the SSO DESK federation metadata URL:
https://sso.desk.com/sso/metadata
- Monitor relying party - Selected.
- Automatically update relying party - Selected.
AlternativeIf you can't do the above (perhaps due to corporate policy), you need to download the metadata manually:
- Run the following command in PowerShell:
wget -Outfile desk_sso_metadata.xml https://sso.desk.com/sso/metadata
- Update it for DESK SSO RelyingPartyTrust:
Update-AdfsRelyingPartyTrust -TargetIdentifier "<DESK_SSO_IDENTIFIER>" -MetadataFile 'desk_sso_metadata.xml'
- Relying party's federation metadata URL - We recommend that you specify the SSO DESK federation metadata URL:
-
On the Advanced tab, make sure the Secure hash algorithm is
SHA-256
.
Configure claims mapping
To configure claims mapping
- Right-click
Sso DESK Relying Party Trust
underTrust Relationship
. - Select
Edit Claims Rules...
.
Create Active Directory transformations
To create Active Directory transformations
-
Click
Add Rule...
. -
Select
Send LDAP Attributes as Claims
(the default option) and set values according to the following example values. -
Edit Rule - Email Attribute Claim:
- Claim rule name:
Email Attribute Claim
- Attribute store:
Active Directory
- Mapping of LDAP attributes to outgoing claim types:
- LDAP Attribute =
E-Mail-Addresses
, Outgoing Claim Type =E-Mail Address
- LDAP Attribute =
- Claim rule name:
-
Edit Rule - First and Last Name:
- Claim rule name:
First and Last Name
- Attribute store:
Active Directory
- Mapping of LDAP attributes to outgoing claim types:
- LDAP Attribute =
Given-Name
, Outgoing Claim Type =givenName
- LDAP Attribute =
Surname
, Outgoing Claim Type =sn
- LDAP Attribute =
- Claim rule name:
-
Edit Rule - roles:
Token-Groups as SIDs
is an example LDAP attribute that can be used for group mapping. Depending on your corporate LDAP, select the one that contains the LDAP user groups.- Claim rule name:
Group Mapping
- Attribute store:
Active Directory
- Mapping of LDAP attributes to outgoing claim types:
- LDAP Attribute =
Token-Groups as SIDs
, Outgoing Claim Type =Group
- LDAP Attribute =
- Claim rule name:
Create Email to NameID transformation
To create an Email Address to NameID
transformation
-
Click
Add Rule...
. -
Select
Transform an Incoming Claim
. -
Set the values according to this example.
- Claim rule name:
Email to Name ID
- Incoming claim type:
E-Mail Address
- Outgoing claim type:
Name ID
- Outgoing name ID format:
Email
- Pass through all claim values:
selected
- Claim rule name:
Final steps
-
Ensure that the SAML message will be signed:
Set-ADFSRelyingPartyTrust -TargetIdentifier "<DESK_SSO_IDENTIFIER>" -SamlResponseSignature "MessageAndAssertion"
-
Ensure that the system clock's skew won't affect SAML request validation:
Set-ADFSRelyingPartyTrust -TargetIdentifier "<DESK_SSO_IDENTIFIER>" -NotBeforeSkew 2
-
Establish SAML authorization in DESK SSO.
You need to specify
First name attribute
,Last name attribute
, and theSecurity group claim attribute
.
Usually these attributes for AD FS will be as follows, but this may vary depending on the AD FS version and settings.First name attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last name attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Security group claim attribute
http://schemas.xmlsoap.org/claims/group