DNN SAML Single Sign-On (SSO) with ADFS As IDP
DNN SAML Single Sign-On (SSO) authentication provider gives the ability to enable SAML Single Sign-On for your DotNetNuke applications. Using Single Sign-On you can use only one password to access your DotNetNuke application and services. Our authentication provider is compatible with all the SAML-compliant identity providers. Here we will go through a step-by-step guide to configure Single Sign-On (SSO) between DotNetNuke and ADFS considering ADFS as IdP.
Download and Install the authentication provider in DotNetNuke
- Download the package for DNN SAML Single Sign-On (SSO) authnetication provider.
- Upload the installation package dnn-saml-single-sign-on_xxx_Install by going in Settings > Extension > Install Extension.
Steps to configure ADFS Single Sign-On (SSO) Login into DotNetNuke
1. Add authentication provider on DNN page
- Now under the Installed extensions tab select Authentication Systems.Here you can see the miniOrange DNN SAML Authentication Plugin.
- Just Click on the pencil icon as mentioned in the image below to configure the DNN SAML Authentication Provider.
- You have finished with the Installation of the authentication provider on your DNN site.
2. Configure ADFS as Identity Provider
- First, search for ADFS Management application on your ADFS server.
- In ADFS Management, select Relying Party Trust and click on Add Relying Party Trust.
- Select Claims aware from the Relying Party Trust Wizard and click on Start button.
Select Data Source
- In Select Data Source, select the data source for adding a relying party trust.
- Navigate to Service Provider Metadata section from the ASP.NET SAML module and copy the Metadata URL.
- Select Import data about the relying party published online or on the local network option and add the metadata URL in Federation metadata address.
- Click on Next.
Note: In the next step enter the desired Display Name and click Next.
Choose Access Control Policy
- Select Permit everyone as an Access Control Policy and click on Next.
Ready to Add Trust
- In Ready to Add Trust click on Next and then Close.
Edit Claim Issuance Policy
- In the list of Relying Party Trust, select the application you created and click on Edit Claim Issuance Policy.
- In Issuance Transform Rule tab click on Add Rule button.
Choose Rule Type
- Select Send LDAP Attributes as Claims and click on Next.
Configure Claim Rule
- Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
- Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim Type as Name ID.
- Once you have configured the attributes, click on Finish.
- After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.
-
To get the ADFS Federation Metadata, you can use this URL
https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml - You have successfully configured ADFS as SAML IdP (Identity Provider) for achieving ADFS Single Sign-On (SSO) Login
Windows SSO (Optional)
Follow the steps below to configure Windows SSO
Steps to configure ADFS for Windows Authentication
- Open elevated Command Prompt on the ADFS Server and execute the following command on it:
-
setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
-
FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)
-
Domain Service Account is the username of the account in AD.
-
Example : setspn -a HTTP/adfs.example.com username/domain
- Open AD FS Management Console, click on Services and go to the Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.
- Open Internet Explorer. Navigate to Security tab in Internet Options.
- Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
- Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.
- Open the powershell and execute following two commands to enable windows authentication in Chrome browser.
- You have successfully configured ADFS for Windows Authentication.
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")
Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;
3. Configure DotNetNuke SAML Authentication Provider as Service Provider
- For configuring application in the authentication provider, click on the Add new IdP button in the Identity Provider Settings tab.
- Select ADFS from the list. You can also search for your Identity Provider using the search box.
- Under the Service Provider Settings tab, you can download SP metadata as a XML document or copy the metadata url.
- Alternatively, copy and paste the SP Entity ID and ACS Url from the SP metadata Table to your ADFS configuration page.
- To upload IdP's metadata, you can use the Upload IdP metadata button under the Identity Provider Settings tab, if you have the IdP metadata URL or the IdP metadata .xml file.
- Alternatively, you can copy the IDP Entity ID and Single Sign-On Url values from the IdP and fill them up under the Identity Provider Settings tab.
A] Select your Identity Provider
B] Configure your Identity Provider
C] Configure your Service Provider
4. Testing SAML SSO
- Click the Test Configuration button to verify if you have configured the plugin correctly.
- On successful configuration, you will get Attribute Name and Attribute Values in the Test Configuration window.
5. Attribute Mapping
- For attribute mapping select the Edit Configuration from the select actions dropdown.
- Map email and username with Attribute Name you can see in Test Configuration window and save the settings.
6. Get the Single Sign-On (SSO) link for your application
- You can find the SSO Link in the Action dropdown in Applications List of the authentication provider.
You can even configure the ASP.NET SAML Single Sign-On (SSO) module with any identity provider such as ADFS, Microsoft Entra ID (formerly Azure AD), Bitium, centrify, G Suite, JBoss Keycloak, Okta, OneLogin, Salesforce, AWS Cognito, OpenAM, Oracle, PingFederate, PingOne, RSA SecureID, Shibboleth-2, Shibboleth-3, SimpleSAML, WSO2 or even with your own custom identity provider. To check other identity providers, click here.
Additional Resources
- DNN SAML Single Sign-On (SSO)
- DNN OAuth Single Sign-On (SSO)
- ASP.NET SAML Single Sign-On (SSO)
- nopCommerce SAML Single Sign-On (SSO)
- Umbraco SAML Single Sign-On (SSO)
Need Help?
Not able to find your identity provider? Mail us on dnnsupport@xecurify.com and we'll help you set up SSO with your IDP and for quick guidance (via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
