*Note: "HRBC" is the old name for "PORTERS". Please read "HRBC" in the images as "PORTERS".
- Precautions
- Preliminary Settings
- Setting the Service Principal Name
- Setting the Certificate Trust
- Setting the Request Rules
- Setting User Information
- Setting WIA SupportedUserAgents
- Setting Microsoft Entra ID (formerly Azure Active Directory) (partial)
Precautions
The following is an example of settings when using Active Directory Federation Service 3.0 (ADFS 3.0) on Windows Server 2012 R2 as an Identity Provider.
This setting example assumes that you have knowledge of various terms and related concepts.
Please note that the setting screen and procedure may differ from this setting example depending on the authentication system you are using.
Please check the help of your authentication system for the actual setting method and procedure.
- HENNGE (You will be redirected to an external site)
- CloudGateUNO (You will be redirected to an external site)
- GMO Trust Login (You will be redirected to an external site)
- ID Entrance (You will be redirected to an external site)
Please note that we cannot confirm or support the details of your authentication system at Porters Corporation.
Preliminary Settings
This example assumes the following environment for the settings.
Active Directory (AD) Settings
- Computer Name
- dc
- Root Domain Name
- example.local
- Other Installation Options
- Default
- Initial Data Settings After AD Installation
- Additional AD Users
- example\adfsadmin … ADFS Service Account
- example\adfsuser … User to execute login via SSO
- Additional AD Users
ADFS Settings
- Computer Name (※AD and ADFS are installed on the same computer)
- dc
- Domain Name
- local
- Service Account
- example\adfsadmin
- Other Installation Options
- Default
Setting the Service Principal Name
In order to provide SSO based on Windows authentication in ADFS, it is necessary to set the Service Principal Name in AD.
If you try to perform Windows authentication in a state where this setting is lacking, a 401 error will occur and SSO will not work.
Please execute the following commands in Command Prompt or Power Shell.
setspn -a http/dc.example.local example\adfsadmin
setspn -a http/dc example\adfsadmin
Setting the Certificate Trust
Please set as follows.
- Certificate Trust Identifier
- saml.porterscloud.com
- Endpoint
- Binding … POST
- Certificate Trust SAML2.0 SSO Service URL (Access Consumer Service URL)
※This has been informed by the person in charge.
The following is an example of settings using the standard wizard. Open the tool.
Add a certificate trust from AD FS>Trust Relationships.
Select "Enter data about the relying party manually" and proceed to the next step.
Enter the display name and proceed to the next step.
Select "AD FS profile" and proceed to the next step.
Proceed to the next step.
Select "Enable support for the SAML 2.0 WebSSO protocol", set the URL informed by the person in charge of Porters Corporation, and proceed to the next step.
Add "saml.porterscloud.com" to the certificate trust identifier and proceed to the next step.
Select "Do not configure multi-factor authentication for this relying party trust at this time" and proceed to the next step.
Select "Permit all users to access this relying party" and proceed to the next step.
Follow the instructions on the screen to proceed and complete the settings.
Setting the Request Rules
Set the request rules for the created certificate trust.
- Request Rule Template
- Send LDAP Attributes as Claims
- Attribute Store
- Active Directory
- Associating LDAP Attributes with Outgoing Claim Types
- LDAP Attribute … E-Mail-Addresses
- Outgoing Claim Type … Name ID
In PORTERS, we use the user's email address as the user ID for login.
When authenticating with PORTERS SSO, we compare the user ID (email address) within PORTERS with the email address within the Identity Provider.
When authentication is successful in the Identity Provider, the result is sent to PORTERS as a response.
This response must include the user's email address as the value of "NameID".
If the value of "NameID" matches the user ID (email address) in PORTERS, login to the PORTERS business screen is successful.
The following is an example of settings using the standard wizard in [ADFS Management].
Right-click the display name of the created certificate trust and open Edit Claim Rules.
In the Issuance Transform Rules tab, click the Add Rule button.
Enter the claim rule template and proceed to the next step.
Enter the necessary items such as the claim rule name and complete the additional settings of the rule.
Associating LDAP Attributes with Outgoing Claim Types
- LDAP Attribute … E-Mail-Addresses
- Outgoing Claim Type … Name ID
Click OK to complete the editing of the claim rules.
Setting User Information
Set the email address registered as the PORTERS user ID in the AD user information.
The following is an example of setting an email address for a user named adfsuser.
Setting WIA SupportedUserAgents
After launching PowerShell, check the WIASupportedUserAgents with the following command.
If necessary, set the User Agent of the web browser that allows SSO by Windows authentication.
Windows authentication will not work on web browsers that are not included in this setting.
$FormatEnumerationLimit=-1
Get-ADFSProperties | Select-Object WIASupportedUserAgents | Format-Table -autosize -wrap
The following is an example of a command that allows Windows authentication in Chrome.
$old=(Get-AdfsProperties).WIASupportedUserAgents
$new=$old+"Mozilla/5.0"
Set-ADFSProperties -WIASupportedUserAgents $new
Check the execution result of Set-ADFSProperties with the aforementioned command.
Setting Microsoft Entra ID (formerly Azure Active Directory) (partial)
Identifier (Entity ID): saml.porterscloud.com
Reply URL (Assertion Consumer Service (ACS) URL): The URL we have informed you by email.
There is no need to set parameters such as Sign-On URL, Relay State, Logout URL, Source Attribute, etc.