Connecting Turbot SAML to ADFS

Turbot SAML > ADFS

Configuring the ADFS server:

  1. Start the Add Relying Party Trust wizard on the ADFS server.

  2. Select Claims Aware then hit next.

  3. At the Select Data Source page, select Enter data about the reyling party manually and click next.

  4. Choose a display name that makes sense for your organization, such as urn:Turbot:SAML. Notes are optional.

  5. Select AD FS Profile and click next.

  6. Skip the Configure Certificate page by clicking next.

  7. On the Configure URL page, check the box for Enable support for the SAML 2.0 WebSSO protocol

  8. Enter the Relying party SAML 2.0 SSO service URL. This will be of the form https://<turbotURL>/api/v3/directories/{directoryUrn}/saml/callback. Note there is no trailing slash at the end of the URL.

  9. Add a Relying party trust identifier with the Turbot URL.

  10. Multi-factor authentication can be configured on the next page. The configuration of MFA is determined by the organization setting up the authentication method and is outside the scope of this guide.

  11. Select Permit all users to access this relying party and hit next.

  12. Confirm settings, then select the box to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and select close.

One can also use the directory URN to request the metadata required to authenticate to Turbot using ADFS:

  1. After configuring the directory in Turbot, point the browser to the URL: <turbot url>/api/v3/directories/{directoryUrn}/saml/metadata, i.e.{directoryName}/saml/metadata

  2. This will return a metadata XML file. Copy the text in the browser and save as .xml.

  3. Instead of selecting Enter data about the relying party manually, select the option to Import data about the relying party from a file and import the previously saved XML.

  4. Continue by selecting Permit all users to access this relying party and hit next.

  5. Confirm settings, then select the box to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and select close.

Creating Claim Rules:

  1. In the Edit Claim Rules window, navigate to Issuance Transform Rules tab and click Add Rule.

  2. Select Send LDAP Attributes as Claims in the drop down menu then click next.

  3. In the LDAP Attribute column, select Email Addresses. For the Outgoing Claim Type, also select Email Addresses, then click the OK button to save the rule

  4. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim in the drop down menu.

  5. Select E-mail Addresses as the Incoming Claim Type.

  6. For Outgoing Claim Type, select Name ID.

  7. For Outgoing Name ID Format, select Email.

  8. Select Pass through all claim values, then click OK

  9. Depending on the current ADFS configuration, more rules might need to be added. Below is a list of the metadata values that Turbot expects to see. :

The attributes that ADFS is providing can be seen by grabbing the SAML response in .xml format

  1. Optional Attributes/Metadata:

    • nameID -> (unique login id, e.g. UPN or sAMAccountName)

    • sAMAccountName -> jdoe (if using Turbot Windows User Management or AD Group Sync)

    • linuxUID (if you want to sync Linux UIDs with on-premise Centrify/LDAP)

Retrieving X.509 certificate value:

  1. In the ADFS window, use the left side to navigate to  ADFSService Certificates. Select the Token-signing certificate, right click, and select View Certificate.

  2. On the Details tab, click Copy to File.

  3. In the Certificate Export Wizard, click Next, then select Base-64 encoded X.509 (.CER), then click Next again.

  4. Save the certificate to a convenient location, click Next, and review the settings. If everything looks correct, click Finish.

  5. Export the Token Signing Certificate as a DER format .cer and then run the following transform to extract the multiline PEM that turbot is expecting:

    $ openssl x509 -inform der -in certificate.cer -outform pem -out certificate.pem
  6. The metadata of the certificate will need to be pasted into the appropriate section when configuring the integration in Turbot.

Turbot configuration:


The callback URL will complete itself. The URL is composed of a web instance's AWS DNS URL and the URN for the new directory. 



Was this article helpful?
0 out of 0 found this helpful