browse
Introduction
This article applies to users wishing to configure Single Sign-On authentication between the Umbrella Dashboard and ADFS (Active Directory Federated Services). This article is an appendix to the main ADFS instructions here.
This article provides an example of how to configure ADFS to allow login with an e-mail address.
By default ADFS authenticates users based on their User Principal Name (UPN). Often this UPN matches both the user's e-mail address and the Umbrella account e-mail address, therefore no action is required.
However, in some cases the users' e-mail address differs from their UPN and these additional steps are required.
Alert:
This example is provided "as is" based on a working ADFS environment. Umbrella support are unable to help with the configuration of individual ADFS environments.
Instructions
Step 1 - Allow e-mail address login (Optional)
The following powershell command configures ADFS to allow the 'mail' attribute to be used as the login ID. Replace <Domain> with the name of your Active Directory domain:
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests <Domain>
This avoids confusion for the end user as they can use the same username for both systems. After this change the user will be able to login as follows...
- Enter the Umbrella username (eg. email@domain.tld)
- Enter email@domain.tld or upn@domain.tld as the ADFS username
If this step is not followed the end user may need to use a different username for both systems...
- Enter the Umbrella username (eg. email@domain.tld)
- Enter upn@domain.tld as the ADFS username
Step 2 - Edit claims rules (Required)
Review the information in our ADFS instructions here. The claims rule userPrincipalName to Email address must be deleted and replaced with the rule below called mail to Email address.
This tells ADFS to include the 'mail' attribute in it's SAML response:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
The claims rules should be configured in the correct order, with mail to Email Address as the first rule: