Connecting Microsoft Active Directory Federation Services to KRMC

KRMC offers the ability to connect to an external Azure or similar SAMLv2 authentication site.

NOTE: If you are using Multi-Factor with KRMC, you will still need to apply the MFA security after SAML authenticates.

Here's how to configure it:

Prerequisites:

This feature currently supports only SSO logins for KRMC Super Administrators (SA) and Regular Administrators (RA). The following prerequisites apply for this feature to work:

• The SA and RA accounts who will use SAML SSO must already be configured as KRMC administrators in the KRMC UI. Please refer your KRMC manual for information on how to create a RA account in KRMC.
• Customer must have Microsoft Active Directory Federation Services (AD FS) to integrate with KRMC. KRMC does not currently support SSO via 3rd party identity providers, though this may change in the future.

Exclusions:

KRMC SSO currently does not support detailed user management via AD FS. Only SAML based SSO logins for existing KRMC administrator accounts is supported.

Background:

Active Directory Federation Services (AD FS) is a software component developed by Microsoft that can provide users with Single Sign On (SSO) access to systems and applications located across and outside the organizational boundary. For further reading, a link to AD FS on MSDN is here : https://msdn.microsoft.com/en-us/library/bb897402.aspx

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between 2 different systems, commonly referred to as Identity Provider (IdP) and Service Provider (SP). For further SAML reading, please refer to : https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

Integration Steps:

When integrating KRMC with your AD FS, the following 3 steps are involved:

Step 1: AD FS configuration – Setting up relying party trust

Step 2: AS FS configuration – Setting up claim rules

Step 3: KRMC configuration – Providing your AD FS information in KRMC user interface

Step 1: AD FS configuration – Setting up relying party trust

1. Open AD FS Management and select “Relying Party Trusts”.
2. Click on Add Relying Party Trust on the right side, in the Actions section. Click Start on Welcome screen.
3. In the Select Data Source screen, select the last option “Enter Data About the Party Manually” and then click Next.
4. On the next screen, enter a Display Name for KRMC SAML login and then click Next.
5. On the choose Profile screen select “AD FS profile” and then click Next.
6. Leave default values for Configure Certificate and then click Next.
7. Select “Enable support for the SAML 2.0 WebSSO protocol”, enter the KRMC SAML login URL: <KRMC URL>/app.php/saml_login as the relying party SAML 2.0 SSO service URL, and then click Next.
8. Add relying party trust identifier: <KRMC URL>/app.php/saml_login and then click on the
9. Add button. Click Next.
10. Select “Permit all users to access this relying party” for Authorization Rules and then click
11. Next.
12. Leave default values on the Ready to Add Trust screen and then click Next.
13. On the Finish page select “Open the Edit Claim Rules dialog” and then click Close.

Step 2: AD FS configuration – Setting up claim rules

1. To create a new rule, click on Add Rule.
2. Select “Send LDAP Attributes as Claims” and then click Next to create the rule.
3. On the next screen do the following:
   • Enter name for rule.
   • Select “Active Directory” as Attribute store.
   • From the LDAP Attribute column, select “E-Mail Addresses”.
   • From the Outgoing Claim Type, select “E-Mail Address”.
   • Click Finish to save the new rule.
4. Create another new rule by clicking Add Rule, this time selecting “Transform an Incoming Claim” as the template. On the next screen do the following:
   • Enter name for rule
   • For Incoming Claim Type select E-mail Address
   • For Outgoing Claim Type, select Name ID
   • For Outgoing Name ID Format, select Email
   • Click Finish to save the new rule.
5. Click OK to finish.

Step 3: KRMC Configuration - Providing your AD FS information in KRMC user interface

1. Open and login to KRMC in your web browser as the Super Administrator (SA).
2. Navigate to Settings-> Server Settings to reveal the SAML settings configuration area.
   • 
3. Configure the SAML settings on this page. To get the required information, please check with your IT team or refer the AD FS metadata XML file:
   • Entity ID: This is the Entity Id Issuer.
   • SAML SSO URL: This is the URL where KRMC will redirect the administrator for authentication. This would usually point to your organization’s SSO URL.
   • Certificate: This is the X.509 certificate.  A sample metadata file and the necessary fields within the file are shown below:
   • 
4. You can choose to Allow administrators to login using KRMC, SAML only, or Both.  This setting allows you to choose how administrators on KRMC are able to log into KRMC. 
   • KRMC Only requires admins to utilize their KRMC login credentials and does not utilize SAML.  All attempts to utilize SAML will result in the login failing.
   • SAML Only requires all Regular Administrators (RA) to only login utilizing SAML.  All attempts to utilize standard KRMC login will fail.
   • Both allows the administrator the ability to choose which login type they would like to use.  Note that the SA will always be able to use both regardless of which option is select. 
5. After all fields have been completed within KRMC, select Save SAML Settings.