Active Directory Federated Services (AD FS) Configuration

Configuring AD FS requires intricate knowledge of service management on the Windows platform. AD FS on a Windows Server 2012 R2 does work, however we have not tested other versions.

Please keep in mind that the following instructions are given as an example, and may differ from what is required in your particular situation.

1. On your Windows Server, open a Microsoft Management Console (mmc.exe) and add the AD FS administration tool snap-in. Click on Add Relying Party Trust…
    
   

2. Click on Start.
    
   

3. Select the radio button Enter data about the relying party manually and press Next.
    
   

4. Enter your application name and press Next.
    
   

5. Select AD FS Profile and press Next.
    
   

6. Optionally, select an encryption certificate and press Next.
    
   

7. Enter the URL where AD FS needs to send the claims and press Next.
    
       https://YOUR SITE URL/saml/saml_login_response
    
   

8. Enter the URL of the relying party trust identifier and press Add.
    
       https://YOUR SITE URL/saml/metadata
    
   

9. Press Next.  
   

10. Optionally, configure the Multi-factor Authentication (MFA) and press Next.
     
    

11. Configure the issuance authorization rules and press Next.
     
    

12. Review the new configuration and press Next.
     
    

13. Finish and proceed to edit the claim rules.
     
    

14. In the Claim Rules editor, click Add Rule….
     
    

15. Select Transform an Incoming Claim and press Next.
     
    

16. Enter the rule name (e.g., NameId), select the claim type Windows account name, set the outgoing claim type to Name ID, and select the ID Format Transient Identifier. Then click Finish.
     
    

17. Back in the Claim Rules editor, click Add Rule….
     
    

18. Select Send LDAP Attributes as Claims and press Next.
     
    

19. Enter the rule name (e.g., User Informations), select the attribute store Active Directory, and add mappings for Given-Name, Surname and E-Mail-Addesses, SAM-Account-Name respectively to firstname, lastname, email and login_id. Then click Finish. (IMPORTANT: we use the windows login as the login_id, but you can select another unique value, such as the email)
    
    

20. Back in the Claim Rules editor, click Add Rule… one last time.
     
    

21. Select Send Claims Using a Custom Rule and press Next.
     
    

22. Enter the rule name (e.g., access), and enter the custom rule:
        => issue(Type = "access", Value = "true");
     
    In this example, we allow access to Shotgun to everyone. You will likely want a different rule.
     
    Then click Finish.
     
    

23. With these claims, the minimal amount of information required by Shotgun is present. Click on OK.
     
    

24. You are now able to test your SSO setup on Shotgun. Please note that we have left out the groups claim as it requires organization-specific information to configure the custom rules.
     
    

25. Provide the SSO configuration to your Shotgun Administrators. Usually these will look something like this:
        SAML 2.0 Endpoint (HTTPS): https://YOUR_ADFS_SERVER/adfs/ls
        Identity Provider Issuer: http://YOUR_ADFS_SERVER/adfs/services/trust
    Please note that depending on your specific environment, the URL may use http or https. The SAML Authentication Test link (in the Site Preferences -> Authentication section) will let you know if there is a mismatch between the value in Shotgun and the expected value. It should be trivial to fix.
    
    For the public certificate, you can download the Federation Metadata at:
        https://YOUR_ADFS_SERVER/FederationMetada/2007-06/FederationMetadata.xml
    You will need to extract from the XML file:
        Public Certificate: X509Certificate from the ds:Signature section.