Skip to content

QReserve Academy

Open a Support TicketSystem Status

Single Sign-On - ADFS

Single Sign-On with ADFS requires several steps that are outlined here.

Add Relying Party Trust

  1. Open the ADFS management snap-in and select Add Relying Party Trust.

ADFS Step 1

  1. Ensure Claims aware is selected and click Start.

ADFS Step 2

  1. From the Single Sign-On page download QReserve's metadata, either Testing or Production depending on the stage of testing. Consult with QReserve first on the best implementation strategy for your organization. Use the Import data option and select the metadata file you downloaded. Note that the extension may not by .xml so you will have to browse all file types in the Open File dialog.

ADFS Step 3

You may see a warning similar to the following that can be safely ignored. ADFS Step 3 Warning

  1. Give your relying party a name such as QReserve or QReserve Testing Server.

ADFS Step 4

  1. Decide who should have access or leave the default as Permit everyone.

ADFS Step 5

  1. Select Next and Finish to complete adding your relying trust.

ADFS Step 6

Edit Claim Issuance Policy

  1. Next you need to setup claims to issue from your Active Directory. Click Edit Claim Issuance Policy.

ADFS Step 7

  1. Click Add Rule to create a new rule.

ADFS Step 8

  1. The rule template should be Send LDAP Attributes as Claims.

ADFS Step 9

  1. Give your rule a meaningful name and select Active Directory as the Attribute store. You will need to select two attributes as displayed in the screenshot below:\

E-Mail-Addresses: E-Mail Address
User-Principal-Name: Name ID

Optional: You can also pass in name claims by assigning the following Active Directory fields (left column) to specific URN strings (right column) as follows:
Display Name: urn:oid:2.16.840.1.113730.3.1.241
Given Name: urn:oid:2.5.4.42
Surname: urn:oid:2.5.4.4

ADFS Step 10

  1. Click Finish and then click OK to save your rules.

ADFS Step 11

PowerShell Tweaks

Finally, there are two properties of your Relying Party Trust that you must set through PowerShell. In the following command, replace "QReserve Testing Server" with the name of your Relying Party Trust.

Set-AdfsRelyingPartyTrust -TargetName "QReserve Testing Server" -SamlResponseSignature "MessageAndAssertion"`

Set-AdfsRelyingPartyTrust -TargetName "QReserve Testing Server" -SignedSamlRequestsRequired $false

Download Metadata and Submit to QReserve

You must download your metadata and send this to QReserve to setup your integration. You can access your metadata at the following URL where you replace the your.adfs.domain portion with your own AD FS domain:
https://your.adfs.domain/FederationMetadata/2007-06/FederationMetadata.xml

Finally, submit your SSO metadata and request to us on our SSO Request form.