DNN SAML Single Sign-On (SSO) with ADFS As IDP
DNN SAML Single Sign-On (SSO) module gives the ability to enable SAML Single Sign-On for your DotNetNuke applications. Using Single Sign-On you can use only one password to access your DotNetNuke application and services. Our module is compatible with all the SAML-compliant identity providers. Here we will go through a step-by-step guide to configure Single Sign-On (SSO) between DotNetNuke and ADFS considering ADFS as IdP.
Download and Install the module in DotNetNuke
- Download the package for DNN SAML Single Sign-On (SSO) module.
- Upload the installation package dnn-saml-single-sign-on_xxx_Install by going in Settings > Extension > Install Extension.
Steps to configure ADFS Single Sign-On (SSO) Login into DotNetNuke
1. Add module on DNN page
- Open any of the page on your DNN site (Edit mode) and Click on Add Module.
- Search for DNNSAMLSSO and click on the DNNSAMLSSO. Drag and drop the module on the page where you want.
- You have finished with the Installation of the module on your DNN site.
2. Configure ADFS as Identity Provider
- First, search for ADFS Management application on your ADFS server.
- In AD FS Management, select Relying Party Trust and click on Add Relying Party Trust.
- Select Claims aware from the Relying Party Trust Wizard and click on Start button.
Select Data Source
- In Select Data Source, select the data source for adding a relying party trust.
- Navigate to Service Provider Metadata section from the ASP.NET SAML module and copy the Metadata URL.
- Select Import data about the relying party published online or on the local network option and add the metadata URL in Federation metadata address.
- Click on Next.
Note: In the next step enter the desired Display Name and click Next.
Choose Access Control Policy
- Select Permit everyone as an Access Control Policy and click on Next.
Ready to Add Trust
- In Ready to Add Trust click on Next and then Close.
Edit Claim Issuance Policy
- In the list of Relying Party Trust, select the application you created and click on Edit Claim Issuance Policy.
- In Issuance Transform Rule tab click on Add Rule button.
Choose Rule Type
- Select Send LDAP Attributes as Claims and click on Next.
Configure Claim Rule
- Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
- Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim Type as Name ID.
- Once you have configured the attributes, click on Finish.
- After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.
-
To get the ADFS Federation Metadata, you can use this URL
https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml - You have successfully configured ADFS as SAML IdP (Identity Provider) for achieving ADFS Single Sign-On (SSO) Login
Windows SSO (Optional)
Follow the steps below to configure Windows SSO
Steps to configure ADFS for Windows Authentication
- Open elevated Command Prompt on the ADFS Server and execute the following command on it:
-
setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
-
FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)
-
Domain Service Account is the username of the account in AD.
-
Example : setspn -a HTTP/adfs.example.com username/domain
- Open AD FS Management Console, click on Services and go to the Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.
- Open Internet Explorer. Navigate to Security tab in Internet Options.
- Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
- Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.
- Open the powershell and execute following two commands to enable windows authentication in Chrome browser.
- You have successfully configured ADFS for Windows Authentication.
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")
Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;
3. Configure DotNetNuke SAML Module as Service Provider
- After configuring your Identity Provider, it will provide you with IDP Entity ID, IDP Single Sign On URL and x.509 Certificate. Configure these values under IDP Entity ID, Single Sign-On Url and SAML X509 Certificate fields respectively. (Refer to the Metadata provided by Identity Provider)
- Click Update to Save your IDP details.
4. Testing SAML SSO
- Click the Test Configuration button to verify if you have configured the plugin correctly.
- On successful configuration, you will get Attribute Name and Attribute Values in the Test Configuration window.
5. Adding Login/SSO Widget on DNN Page
- For Adding Button on the DNN page on beside the module settings click on the Add Item (Pencil Icon).
- Add Button name and Description for item and click on Save.
- You can see login button on the page after saving item. (If you are already logged in your site, you will see a "Logout" link).
- Note: If you want to Enable this button on every page of the DNN site follow below steps:
- Go to the Settings >> Module Settings >> Advanced Settings and Enable option for Display Module On All Page.
- Warning: You will lose all your configuration for the module after enabling this option. You can re-configure the module or it is better to enable this option before configuring the module.
6. Attribute Mapping
- Attributes are user details that are stored in your Identity Provider.
- Attribute Mapping helps you to get user attributes from your IdP and map them to DotNetNuke user attributes like firstname, lastname etc.
- While auto registering the users in your DotNetNuke site these attributes will automatically get mapped to your DotNetNuke user details.
- Go to DNNSAMLSSO Settings >> Advanced settings >> Attribute Mapping.
7. Role mapping (It is Optional to fill this)
- DotNetNuke uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
- DotNetNuke has five pre-defined roles: Administrators, Subscribers, Registered Users, Translator (en-US) and Unverified Users.
- Role mapping helps you to assign specific roles to users of a certain group in your IdP.
- While auto registering, the users are assigned roles based on the group they are mapped to.
You can even configure the ASP.NET SAML Single Sign-On (SSO) module with any identity provider such as ADFS, Azure AD, Bitium, centrify, G Suite, JBoss Keycloak, Okta, OneLogin, Salesforce, AWS Cognito, OpenAM, Oracle, PingFederate, PingOne, RSA SecureID, Shibboleth-2, Shibboleth-3, SimpleSAML, WSO2 or even with your own custom identity provider. To check other identity providers, click here.
8. Additional Resources
- DNN SAML Single Sign-On (SSO)
- DNN OAuth Single Sign-On (SSO)
- ASP.NET SAML Single Sign-On (SSO)
- nopCommerce SAML Single Sign-On (SSO)
- Umbraco SAML Single Sign-On (SSO)
Need Help?
Not able to find your identity provider? Mail us on dnnsupport@xecurify.com and we'll help you set up SSO with your IDP and for quick guidance (via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
×
![ADFS_sso]()
Trending searches:
Hello there!
Need Help? We are right here!
