Overview
TopTeam supports Web single sign-on (SSO) using Active Directory with ADFS and SAML. ADFS is a Microsoft service for Windows Server that provides a web login using existing Active Directory credentials.
This article explains how to configure a relying party for TopTeam on ADFS Server.
Who should read this?
- TopTeam Administrators
- TopTeam Users
Prerequisites
- A server running Microsoft Server version 2008 or higher.
- For configuring and installing ADFS, refer to the Microsoft KB article.
- When you have installed ADFS, note down the value for the ‘SAML 2.0/W-Federation’ URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be ‘/adfs/ls/’.
Step 1. Start Add Relying Party Trust Wizard
Open the ADFS Management Console and select Add Relying Party Trust to start the Add Relying Party Trust Wizard.
Step 2. Adding a Relying Party Trust
The connection between ADFS and TopTeam is defined using a Relying Party Trust (RPT).
Step 2.1. Select Data Source
Step 2.2. Specify Display Name
Step 2.3. Choose Profile
Step 2.4. Configure Certificate (optional)
Step 2.5. Specify TopTeam External Authentication Service URL
URL has the format: https://<Domain>/rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS
If your TopTeam is running at https://acmecorp.com/, the URL will be https://acmecorp.com/rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS.
NOTE:
URL is case-sensitive. We recommend you to copy-paste “rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS” part of the URL so as to avoid any connection errors.
Step 2.6. Configure Identifiers
Relying party trust identifier has format: https://<Domain>/rest/ExternalAuth/ttmExtAuthSrv.dll
E.g. https://acmecorp.com/rest/ExternalAuth/ttmExtAuthSrv.dll
Step 2.7. You can skip configuring Multi-factor Authentication
Step 2.8. Choose Issuance Authorization Rules
On the next two screens, the wizard will display an overview of your settings.
Step 2.9. Finish
Step 3. Creating claim rules
Once the relying party has been created, you need to create the claim rules. Claim rules are required to pass on attributes of the authenticated user from ADFS to TopTeam.
Step 3.1. Add new rule
Step 3.2. Choose Rule Type
Step 3.3. Configure Claim Rule
Specify LDAP Attribute that should be submitted to TopTeam. Ensure that the attribute value exactly matches with the Username of TopTeam user account otherwise login will be denied.
Step 4. Adjusting the trust settings
You need to adjust settings on your RPT. To access these settings, select Properties from the Actions sidebar while you have the RPT selected.
Step 4.1. Configure SAML Logout (optional)
Trusted URL has format: https://<Domain>/rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS/Logout/Request
E.g. https://acmecorp.com/rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS/Logout/Request
Response URL has format: https://<Domain>/rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS/Logout/Response
E.g. https://acmecorp.com/rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS/Logout/Response
NOTE:
URLs are case-sensitive. We recommend you to copy-paste “rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS/Logout/Request” and “rest/ExternalAuth/ttmExtAuthSrv.dll/SAML/ACS/Logout/Response” part of the URLs so as to avoid any connection errors.
You have successfully configured Endpoint and RPT properties
Step 5. Configure SAML in TopTeam
For more information, refer to the article Configuring External Authentication (SAML) in TopTeam.
Revised: June 1st, 2018