Active Directory Federation Service
Configure Active Directory Federation Service (ADFS) as a SAML identity provider for single sign-on to FOSSA.
Overview
Active Directory Federation Service (ADFS) acts as a SAML 2.0 identity provider for FOSSA. To connect them, you create a Relying Party Trust for FOSSA in ADFS, map your Active Directory attributes to the claims FOSSA expects, then give FOSSA your ADFS sign-on URL and token-signing certificate.
Note
SAML single sign-on must be enabled for your organization before the settings below appear. SSO is a premium feature, contact your FOSSA account team to enable it.
Before you start, open FOSSA's authentication settings in another tab: go to Settings → Organization → Authentication. The Callback URL and Audience URI / SP Entity ID values there are needed while configuring ADFS.
Configuring the Relying Party Trust
- 1
Open the AD FS Management console
On your ADFS server, open Server Manager, then choose Tools → AD FS Management.
- 2
Start the Add Relying Party Trust wizard
Click Add Relying Party Trust to open the wizard. Select Claims aware and click Start, then choose to enter data about the relying party manually.
- 3
Enable the SAML 2.0 WebSSO protocol
Tick Enable support for the SAML 2.0 WebSSO protocol. In the box underneath, paste the Callback URL from FOSSA's Settings → Organization → Authentication page.
- 4
Set the relying party trust identifier
Add a relying party trust identifier that matches the Audience URI / SP Entity ID value shown on FOSSA's Authentication page.
Warning
The identifier must equal the Audience URI / SP Entity ID that FOSSA generates for your organization. Older setups used the literal string
FOSSA; copy the current value from the Authentication page instead, a mismatch causes the SAML audience check to fail. - 5
Enable the claims issuance policy
Tick Configure claims issuance policy for this application, then finish the wizard. This opens the policy editor, where you define what Active Directory sends to FOSSA at login.
- 6
Map Active Directory attributes to claims
Click Add Rule and choose the Send LDAP Attributes as Claims template. Give the rule a name, set Active Directory as the attribute store, and add these mappings:
LDAP attribute Outgoing claim type E-Mail-Addresses Name ID Given-Name firstName Surname lastName Warning
FOSSA reads the user's email from the Name ID, and reads
firstNameandlastNameto build their display name. Spell the outgoing claim types exactly as shown, a mismatch leaves new users without a name or blocks login entirely. - 7
Export the token-signing certificate
In the AD FS Management tool, go to Service → Certificates in the left sidebar. Select the token-signing certificate and click View Certificate. On the Details tab, click Copy to File and export it as Base-64 encoded X.509 (.CER). Open the exported file in a text editor, you'll paste its contents into FOSSA next.
- 8
Finish setup in FOSSA
Back in FOSSA, on the Settings → Organization → Authentication page:
- In Identity Provider Single Sign On URL, enter your ADFS server URL with
/adfs/lsappended (for example,https://adfs.example.com/adfs/ls). - In Certificate, paste the contents of the certificate you exported.
- Click Save Changes.
- In Identity Provider Single Sign On URL, enter your ADFS server URL with
Result
ADFS is now configured to authenticate users to FOSSA. For their first login, users sign in one of two ways:
- Visit the SAML login link shown on FOSSA's Authentication page, or
- Go to
/adfs/ls/idpinitiatedsignonon your ADFS server, if IdP-initiated sign-on is enabled.
After their first login, users can sign in by entering their email address on the FOSSA login page.
Note
FOSSA can also set each user's organization role and synchronize their team membership from SAML attributes. See the SAML attributes guide for the supported role and teams claims.