Documentation

Single Sign-On - ADFS

Single Sign-On with ADFS requires several steps that are outlined here.

Add Relying Party Trust

  1. Open the ADFS management snap-in and select Add Relying Party Trust.
Add Relying Party Trust
  1. Ensure Claims aware is selected and click Start.
Ensure Claims aware is selected
  1. From the Single Sign-On page download QReserve's metadata, either Testing or Production depending on the stage of testing. Consult with QReserve first on the best implementation strategy for your organization. Use the Import data option and select the metadata file you downloaded. Note that the extension may not by .xml so you will have to browse all file types in the Open File dialog.
download QReserve's metadata

You may see a warning similar to the following that can be safely ignored. 

warning
  1. Give your relying party a name such as QReserve or QReserve Testing Server.
Give your relying party a name such as QReserve
  1. Decide who should have access or leave the default as Permit everyone.
Decide who should have access
  1. Select Next and Finish to complete adding your relying trust. 
Select Next and Finish to complete adding your relying trust

Edit Claim Issuance Policy

  1. Next you need to setup claims to issue from your Active Directory. Click Edit Claim Issuance Policy.
setup claims to issue from your Active Directory
  1. Click Add Rule to create a new rule.
Click Add Rule to create a new rule
  1. The rule template should be Send LDAP Attributes as Claims.
rule template should be Send LDAP Attributes as Claims
  1. Give your rule a meaningful name and select Active Directory as the Attribute store. You will need to select two attributes as displayed in the screenshot below:\

E-Mail-Addresses: E-Mail Address
User-Principal-Name: Name ID

Optional: You can also pass in name claims by assigning the following Active Directory fields (left column) to specific URN strings (right column) as follows:
Display Name: urn:oid:2.16.840.1.113730.3.1.241
Given Name: urn:oid:2.5.4.42
Surname: urn:oid:2.5.4.4

edit rule
  1. Click Finish and then click OK to save your rules.
Click Finish and then click OK to save

PowerShell Tweaks

Finally, there are two properties of your Relying Party Trust that you must set through PowerShell. In the following command, replace "QReserve Testing Server" with the name of your Relying Party Trust.

Set-AdfsRelyingPartyTrust -TargetName "QReserve Testing Server" -SamlResponseSignature "MessageAndAssertion"`

Set-AdfsRelyingPartyTrust -TargetName "QReserve Testing Server" -SignedSamlRequestsRequired $false
Download Metadata and Submit to QReserve

You must download your metadata and send this to QReserve to setup your integration. You can access your metadata at the following URL where you replace the your.adfs.domain portion with your own AD FS domain:
https://your.adfs.domain/FederationMetadata/2007-06/FederationMetadata.xml

Finally, submit your SSO metadata and request to us on our SSO Request form.