nopCommerce SAML Single Sign-On (SSO) with ADFS as IDP

Overview

nopCommerce SAML Single Sign-On (SSO) plugin gives the ability to enable SAML Single Sign-On for your nopCommerce store. Using Single Sign-On you can use only one password to access your nopCommerce store and services. Our plugin is compatible with all the SAML compliant identity providers. Here we will go through a step-by-step guide to configure Single Sign-On (SSO) between nopCommerce and ADFS considering ADFS as IdP.

Pre-requisites : Download And Installation

• Download the nopCommerce SAML Single Sign-On (SSO) module.
• To install the plugin, login as admin into your nopCommerce store. In the admin dashboard, navigate to Configuration Tab >> Local plugins.

• Click on the Upload plugin or theme button at the top right corner, then in the popup window, click Choose File, select the downloaded plugin ZIP file, and click Upload plugin or theme to proceed.

• After uploading the plugin, click on Restart Application to apply the changes. Once the application restarts, you will see the plugin listed below. Click on the Install button to install it, and then click Restart Application again to apply the changes.

Configuration Steps

Step by Step guide for nopCommerce SAML SSO using ADFS as Identity Provider.

• After successful installation, locate the plugin in the list and click on the Configure button to proceed with the setup.

1. Activate the SAML Plugin using License Key

• On clicking Configure, you will be redirected to the license activation page, and you will receive a trial license key on your registered email.
• If you have not received the license key on your provided email, use the Download License Key button in the plugin to download the license file.

• To activate the plugin, you can either:
  • Enter the license key received via email in the provided input field.

  OR

  • Upload the license file that you downloaded using the button mentioned above.

• Then, check the box "I have read the above conditions and I want to activate the middleware", and click Activate License button.

2. Provide nopCommerce store Metadata to ADFS Identity Provider

• After successful license activation, the plugin dashboard will open as shown below.
• In the plugin dashboard, click on the Service Provider Metadata button from the top menu. This will open the Service Provider Metadata page.

You can obtain the SAML SP metadata using either of the two methods described below to configure it on your Identity Provider end.

A] Using SAML metadata URL or metadata file

• On this page, you can find the Metadata URL as well as the option to download the SAML metadata XML file.
• Copy the Metadata URL or download the metadata file to configure the same on your Identity Provider end.
• You may refer to the screenshot below:

B] Uploading Metadata Manually

• On this page, you can manually copy the service provider metadata such as SP Entity ID, ACS URL, Base URL and share it with your Identity Provider for configuration.
• You may refer to the screenshot below:

• First, search for ADFS Management application on your ADFS server.

• In ADFS Management, select Relying Party Trust and click on Add Relying Party Trust.

• Select Claims aware from the Relying Party Trust Wizard and click on Start button.

Select Data Source

• In Select Data Source, select the data source for adding a relying party trust.

• Metadata URL
• Metadata XML file
• Manual Configuration

• Navigate to Service Provider Metadata section of the nopCommerce plugin and copy the Metadata URL, which you will get from Step 2A.
• Select Import data about the relying party published online or on the local network option and add the metadata URL in Federation metadata address.
• Click on Next.

• Navigate to Service Provider Metadata section of the nopCommerce plugin and click on the Download button to download the plugin metadata file, which you will get from Step 2A.
• Select Import data about the relying party from a file option and upload the downloaded metadata file.
• Click on Next.

• Navigate to Service Provider Metadata section of the nopCommerce plugin to get the endpoints to configure Service Provider manually, which you will get from Step 2B.
• In Add Relying Party Trust Wizard select option Enter data about the relying party manually and click on Next.

Specify Display Name

• Enter Display Name and Click Next.

Configure Certificate (Premium feature)

• Download the certificate from Service Provider Metadata Tab, which you will get from Step 2A.
• Upload the certificate and click on Next.

Configure URL

• Select Enable support for the SAML 2.0 WebSSO protocol option and enter ACS URL from the plugin's Service Provider Metadata Tab, which you will get from Step 2B.
• Click on Next.

Configure Identifiers

• In the Relying party trust identifier, add the SP-EntityID / Issuer from the plugin's Service Provider Metadata tab, which you will get from Step 2B.

Choose Access Control Policy

• Select Permit everyone as an Access Control Policy and click on Next.

Ready to Add Trust

• In Ready to Add Trust click on Next and then Close.

Edit Claim Issuance Policy

• In the list of Relying Party Trust, select the application you created and click on Edit Claim Issuance Policy.

• In Issuance Transform Rule tab click on Add Rule button.

Choose Rule Type

• Select Send LDAP Attributes as Claims and click on Next.

Configure Claim Rule

• Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
• Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim Type as Name ID.

• Once you have configured the attributes, click on Finish.
• After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.
• To get the ADFS Federation Metadata, you can use this URL
  https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml
• You have successfully configured ADFS as SAML IdP (Identity Provider) for achieving ADFS Single Sign-On (SSO) Login

Windows SSO (Optional)

Follow the steps below to configure Windows SSO

• Steps to configure ADFS for Windows Authentication
  • Open elevated Command Prompt on the ADFS Server and execute the following command on it:
    setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
  • FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)
  • Domain Service Account is the username of the account in AD.
  • Example : setspn -a HTTP/adfs.example.com username/domain.

• Open AD FS Management Console, click on Services and go to the Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.

• Open Internet Explorer. Navigate to Security tab in Internet Options.
• Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
• Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.

• Open the powershell and execute following two commands to enable windows authentication in Chrome browser.

 Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty  WIASupportedUserAgents) + "Chrome")
 Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;


• You have successfully configured ADFS for Windows Authentication.

3. Configure ADFS Identity Provider Metadata in nopCommerce store

• Click on the Add new IDP button to configure a new Identity Provider.

• Under the Plugin Settings tab, select ADFS as your identity provider from the list shown.

• After selecting your IdP from the list, the Identity Provider Configuration page will open. On this page, click on the Upload IdP Metadata button.

There are two ways detailed below with which you can configure your SAML Identity Provider metadata in the plugin.

A] Upload metadata using the Upload IDP Metadata button:

• Enter the IdP Name, then either provide the metadata URL in the Fetch Metadata section and click Fetch Metadata to retrieve the configuration automatically, or upload the metadata XML file using the Upload Metadata option to configure the IdP.
• You may refer to the screenshot below:

B] Configure the identity provider metadata manually:

• Alternatively, under the Identity Provider Settings tab, you can manually fill in the mandatory fields like IDP Name, IDP Entity ID and Single Sign-On URL and click Save Settings.

4. Testing SAML SSO

• After uploading the metadata details, navigate back to the Dashboard. Click on the three dots (⋮) next to the configured Identity Provider and select Test Configuration.

• On successful configuration, you will get attributes name and attribute values in the test configuration window.

• If you are experiencing any error, you can troubleshoot it using the steps below:
• Click on the Troubleshoot SSO button and enable the required log levels.
• Download the log file using the Download Logs button to identify what went wrong.
• You can share the log file with us at nopcommercesupport@xecurify.com and our team will reach out to you to resolve your issue.

5. Adding SSO link for your nopCommerce store

• Click on the three dots (⋮) next to the configured Identity Provider and select SSO Link.
• A “Copy to Clipboard” pop-up will appear. Click OK to copy the SSO link to your clipboard.

Related Articles

• nopCommerce Oauth SSO
• nopCommerce Two Factor Authentication
• nopCommerce SAML SSO with Azure AD as IDP