Single Sign-On (SSO) Authentication with AD FS

Author: Krasto Milchev

Last Updated: May 22, 2023 13:54

Introduction

In this article, you'll learn how to set up Single Sign-On (SSO) authentication with AD FS. To learn more about enabling SSO authentication in OfficeRnD Flex, you can take a look at the Single Sign-On (SSO) Authentication article.

Keep in mind that when you activate an SSO authentication, the following OfficeRnD Flex authentication services are disabled:

The standard login with an OfficeRnD Flex user and password.
The "Reset password" links in OfficeRnD Flex.
The token for authentication that employees receive when invited to the Members Portal.

Set up Members Portal SSO

Login to your OfficeRnD Flex account.
Navigate to Settings/Integrations/Authentication.
Activate Members SSO Authentication.
Click Configure. This will open a pop-up window with fields we will use during the setup.
Open the AD FS Management application on your AD server and navigate to Application Groups.
On the Actions pane, click Add Application Group…
Type in Name, and choose Server application as Template. Click Next.
Switch to OfficeRnD and copy the Return URL from the configuration pop-up. Paste it into the Redirect URI field on the Server Application. Click Add. Check Admin SSO to activate that option as well.
Copy the Client ID from Client Identifier in AD FS and paste it in OfficeRnD.
Click Next on AD FS and select Generate a shared secret. Copy the secret and paste it into OfficeRnD's Client Secret field.
Click Next in the AD FS to review the summary, Next again, and Close to complete the wizard
Enter the Discovery URL in OfficeRnD. Use the below template and substitute <ADFS_ROOT> with your AD FS domain (e.g https://my.domain.org/adfs/.well-known/openid-configuration)
```
 <ADFS-ROOT>/.well-known/openid-configuration
```
Set the Email Claim field to upn.
Click Update to finish the set-up.

Enable Automatic Account Activation setting in OfficeRnD's configuration - With this setting enabled, members that already exist in OfficeRnD Flex will be allowed to log into the portal without needing to be explicitly invited. If this setting is disabled - members without prior access to the portal will need to have it Enabled by an administrator.

Set up Admin Portal SSO

Login to your OfficeRnD Flex account.
Navigate to Settings/Integrations/Authentication.
Activate Admin SSO Authentication.
Click Configure. This will open a pop-up window with fields we will use during the setup.
Open the AD FS Management application on your AD server and navigate to Application Groups.
On the Actions pane, click Add Application Group…
Type in Name, and choose Server application as Template. Click Next.
Switch to OfficeRnD and copy the Return URL from the configuration pop-up. Paste it into the Redirect URI field on the Server Application. Click Add.
Copy the Client ID from Client Identifier in AD FS and paste it in OfficeRnD.
Click Next on AD FS and select Generate a shared secret. Copy the secret and paste it into OfficeRnD's Client Secret field.
Click Next in the AD FS to review the summary, Next again, and Close to complete the wizard
Enter the Discovery URL in OfficeRnD. Use the below template and substitute <ADFS_ROOT> with your AD FS domain (e.g https://my.domain.org/adfs/.well-known/openid-configuration)
```
                <ADFS-ROOT>/.well-known/openid-configuration
```
Set the Email Claim field to upn.
Click Update to finish the set-up.

Below, you can find the steps to add Admin SSO along with an already set up Members SSO.

Navigate to Settings/Integrations/Authentication.
Activate Admin SSO Authentication.
Copy the Return URL from the Admin Portal section and Add it to the one from the above step 8.
Finish the setup.

Enforce SSO for All Admins - this option eliminates the OfficeRnD login (email and password) in favor of an entirely AD FS login. Otherwise, admins will have both options to choose from.