We assume you have a working understanding of ADFS 3.0 and have established it as your Identity Provider. These instructions should also work with ADFS 2.0. Please note that there are sometimes unique characteristics of your ADFS infrastructure which may require some changes from the below procedures. We have found the following procedures work with the majority of ADFS 3.0 environments.
1 - Obtain your Tribal Habits SSO URL
Login to your Tribal Habits portal and proceed to Admin, then Accounts, then Configure SAML. Your SAML SSO URL will be located in the Identity Provider Configuration panel. It is typically https://yourorganisation.tribalhabits.com/saml/auth.
2 - Add Tribal Habits as a relying party trust in ADFS.
Select the Relying Party Trusts folder from ADFS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.
In the Select Data Source screen, select the last option, Enter Data About the Party Manually.
On the next screen, enter a Display name (Tribal Habits) that you'll recognise in the future, and any notes you want to make.
On the next screen, leave the certificate settings at their defaults and proceed to the next screen.
Check the box Enable Support for the SAML 2.0 WebSSO protocol. In the box for the SSO service URL, enter your Tribal Habits SSO URL which we obtained in step one.
On the next screen, select your relying party URL.
On the next screen for access control, select 'Permit everyone'.
On the next two screens, the wizard will display an overview of your settings. On the final screen, use the 'Close' button to exit and open the Claims rule editor.
3 - Creating your claim rules
Once the relying party trust has been created, you can create the claim rule. By default the claim rule editor opens once you created the trust. Start by clicking 'Add Rule' and then create a 'Send LDAP Attributes as Claims' rule.
On the next screen, using Active Directory as your attribute store, add your claim rules for Tribal Habits.
First, create outgoing claims for...
- FirstName -> Your matching LDAP attribute (like Given Name)
- LastName -> Your matching LDAP attribute (like Surname)
- Email -> Your matching LDAP attribute (like Email Address)
Second, select the LDAP attribute which is the unique identifier in your organisation. This may also be email address, or it may be an employee ID or similar. This is the attribute which will be used as the UserName in Tribal Habits - the unique identifier for each user. It is fine for this to be email. In any case, map your selected LDAP attribute to an outgoing claim called TEMP (as we will transform this attribute claim in the next rule). Then save that claim, which should look something like this.
Now add a second claim rule. This time using the template 'Transform an incoming claim'.
In this claim, we are going to transform your chosen unique identifier (email or employee ID, or whatever attribute to mapped to TEMP.
- For incoming claim type, select TEMP.
- For Outgoing claim type, select Name ID.
- For Outgoing name ID format, select Transient Identifier.
- Leave Pass through all claims as the default.
Then save this second claim.
4 - Adjust the trust settings
You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected. In the Advanced tab, make sure SHA-1 is specified as the secure hash algorithm.
Apply those changes and move to the Endpoints tab. Click on add SAML to add a new endpoint. For the Endpoint type, select SAML Assertion Consumer. For the Binding, choose POST. For the Trusted URL, ensure your Tribal Habits SSO URL back in Step 1 is correct.
5 - Configure Tribal Habits
Now we are ready to configure Tribal Habits. Go back to Admin, Account and Configure SAML in Tribal Habits. Select the Enable checkbox. You then need to obtain specific information from your ADFS set-up.
For Identity Provider Entity ID, enter your Issuer URL. This will be something like http://identityproviderurl.com/adfs/services/trust.
For Identity Provider SSO URL: enter your Single Sign On service endpoint. This will be something like https://identityproviderurl.com/adfs/ls
You then need to obtain and enter your Identity Provider x.509 Certificate.
Update your SAML Configuration and you should be good to go.
If you need to troubleshoot your SAML settings, but cannot access your portal any longer, you can login with your Tribal Habits user details at yourorganisation.tribalhabits.com/accounts/sign_in_without_sso