SAML SSO with Microsoft ADFS

Please Note: TASS Support cannot set this up for you. Your IT environment requirements are separate to TASS Product Support. These guides are designed to assist your qualified IT team or consultants with these set ups.

This guide is intended for IT administrators who want to configure SAML SSO with TASS using Microsoft ADFS (Active Directory Federation Services).

Please Note: SAML needs to be configured individually for each product or portal in each company. For example, if you want to enable SAML SSO for both TASS.web and Staff Kiosk, you would need to follow these steps for each of those so that they are registered independently with your identity provider. 

Requirements

• A correctly-configured ADFS instance with a trusted HTTPS certificate installed.

• Access to the AD FS Management MMC snap-in (eg via Remote Desktop to the ADFS server or via Remote Server Administration Tools).

Setup Instructions

1. Open AD FS Management.

2. Go to AD FS > Relying Party Trusts.

3. In the Actions pane, click Add Relying Party Trust.

4. On the Welcome page, choose Claims Aware, then click Start.

5. On the Select Data Source page, choose Enter data about the relying party manually, then click Next.

6. On the Specify Display name page, enter name to identify the TASS product or portal you are configuring. For example, TASS Staff Kiosk. Then, click Next.

   

   SAML is configured per product/portal and per company. If multiple companies are in use, ensure the name includes reference to the company so you can find it later.

7. On the Configure Certificate page, do not select a certificate, then click Next.

8. On the Configure URL page, select "Enable Support for the SAML 2.0 WebSSO Protocol". Then, enter the URL from the SP Endpoint field in TASS.web into the "Relying Party SAML 2.0 SSO service URL" field, then click Next.

9. On the Configure Identifiers page, enter the SP Entity ID ... into the "Relying party trust identifier" field, click Add, then click Next.

10. On the Choose Access Control Policy page, unless you have defined another access control policy, select "Permit everyone", then click Next.

    

    This policy is in addition to the existing user verification in TASS. Unless the user has been mapped to a TASS.web user or entity (eg parent, student, employee), and permission assigned, then no access will be provided.

11. On the Ready to Add Trust page, review the configuration, then click Next.

12. On the Finish page, ensure "Configure claims issuance policy for this application" then click Close .

13. In the Actions pane, click "Edit Claims Issuance Policy...".

14. On the Issuance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard will open.

15. On the Choose Rule Type page, set the Claim rule template to Send LDAP Attributes as Claims, then click Next.

16. On the Configure Claim Rule page, enter a Claim rule name. Set the Attribute store to the relevant identity source, for example, Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, set the LDAP Attribute to your preferred user identifier (eg SAM-Account-Name or Email), and set the Outgoing Claim Type to Name ID. Then, click Finish.

17. In the Edit Claim Issuance Policy window, Click OK.

TASS Support Access

Once SAML is enabled, TASS requires an account to use to provide remote support and services. This account should be:

• Enabled for use with your identity provider (generally this means it needs to be an Active Directory user).

• Mapped to the TASS applications registered with your identity provider (see Step 10). 

• Mapped to the TASS.web root user (see LDAP/SAML Maintenance for guidance on configuring mappings, and ensure that the username format matches what was defined in Step 16).  

• Details stored by TASS to use for provided support and services as required. 

If MFA is enabled, this can only use the TOTP method. Other methods, such as mobile apps and SMS messages, are not supported.