This guide has been created on Windows Server 2019. Screens may look slightly different on other versions of Windows Server but the steps should be similar.
- Open the ADFS management console, select Relying Party Trusts in the tree on the left and then click Add Relying Party Trust… on the right
- Select Claims aware and click Start
- Enter the Apperio metadata URL (https://app.apperio.com/sso/saml/sp/) and click Next
If you get an error trying to use the metadata URL, it may be because the server cannot establish a TLS 1.2 connection (Apperio enforces TLS 1.2). In this case, select Enter data about the relying party manually and go to the Appendix for manual steps. Then return to step 7.
- Choose a display name for the relying party trust (e.g. Apperio)
- Choose an access control policy to meet your security requirements
- Complete the wizard and select Configure claims issuance policy for this application. If you have already exited the wizard, you can reach the same screen by right clicking on the relying party trust and selecting Edit Claim Issuance Policy…
- On the Issuance Transform Rules screen, click Add Rule
- In the wizard, select Send LDAP Attributes as Claims and click Next
- Choose a name for the rule, select Active Directory as the attribute store and add the following attributes to the mapping table:
- E-Mail-Addresses -> Name ID
- E-Mail-Addresses -> E-Mail Address
- Given-Name -> Given Name
- Surname -> Surname
- Click Finish to exit the wizard and OK to exit the claim issuance policy dialog
ADFS setup is now complete and ready for testing with Apperio.
Appendix: Manual Configuration
If you cannot use the metadata URL, you will need to enter the configuration data manually.
- Choose a display name for the relying party trust (e.g. Apperio)
- Do not upload a token encryption certificate. Encryption of SAML assertions is not necessary as they are sent over TLS connections and Apperio does not support SAML assertion encryption.
- Select Enable support for the SAML 2.0 WebSSO Protocol and enter the Apperio ACS URL (https://app.apperio.com/sso/saml/acs/)
- In the box for Relying party trust identifier, enter the Apperio Entity ID (https://app.apperio.com/sso/saml/sp/) and click Add
- Choose an access control policy to meet your security requirements
- Complete the wizard and leave Configure claims issuance policy for this application unchecked
- Double click the relying party trust to open the properties
- Select the Signature tab and upload the Apperio signing certificate (downloadable from https://app.apperio.com/sso/saml/certificate/)
- To configure Single Logout (optional) select the Endpoints tab and click Add SAML…
- Set the Endpoint type to SAML Logout
- Set the Binding to Redirect
- Set the Trusted URL to the Apperio Logout URL (https://app.apperio.com/sso/saml/sls/)
- Leave the Response URL blank
- Click OK and then OK again to exit the properties window
- Right-click the relying party trust and select Edit Claim Issuance Policy…
- Return to step 7 of the main configuration guide above