This article covers the setup procedure for WS-Federation Services with SAML.
Plutora and Plutora Test both support SSO. Logging in or out of Plutora will also log the user in or out of Plutora Test. While logging out, do not close the browser window until the logging out process is complete.
Create an XML metadata file first.
Setting up WS-Federation Services with SAML on Plutora
To set up WS-Federation Services with SAML on Plutora:
- Go to Settings > Customization > Site Settings.
- Click Login Settings.
- Click to select the Enable SSO Login checkbox. Enable SSO Login makes the SSO Login button appear under the Plutora login form.
- Click to select the Use SAML Request checkbox.
- Click Submit.
- The yellow Your changes have been saved pop up opens and closes.
- If you click away from the Customization page without clicking Submit, your changes will not save.
- Users who log into Plutora for the first time using SSO are granted access that depends on the Requestor User Role. Administrators must update their account to give them the access they need.
- When making a bookmark to Plutora once SSO is set up, bookmark the direct link to Plutora (for example, https://companyname.plutora.com) rather than the IDP address (for example, https://idp-au.plutora.com/).
Setting Up Active Directory Federation Service (AD FS)
To set up AD FS so it can be used for Plutora with WS-Federation Services with SAML:
1a. Create an XML metadata file
First, create an XML metadata file.
If you see the following error message in the login page:
- The email address you’re using is not a valid email address: Check that Active Directory Attribute mail has been set.
- No surname: Check that Active Directory Attribute sn has been set.
- No first name: Check that Active Directory Attribute givenName has been set.
To check if the given name and surname of the users are present:
- Open AD FS on the server that has been set up to be the IDP.
- Go to Server Manager > Dashboard > Tools > Active Directory Users and Computers.
- Click a user name.
- Click the Attribute Editor tab. (If it isn’t selected already.)
- Check the following attributes of the user:
- To edit the attributes (if necessary):
- Click to select the attribute.
- Click Edit.
- Edit the attribute in the pop up.
- Click OK.
- Click Apply.
- Click OK.
If your company has more that one Active Directory servers and an AD FS farm, ensure that they are all synced and working.
How does WS-Federation with SAML work?
WS-Federation with SAML has the following authentication steps:
- The user goes to the login page of the site.
- The site generates a SAML request, then redirects the user to the SSO Login URL.
- The SAML request goes to the identity provider, which verifies the user’s identity.
- The identity provider sends a SAML request inside a Request Security Token Response (RSTR) to the website.
- The website receives the response and logs the user in.