Active Directory Federated Services (AD FS) Configuration

Configuring AD FS requires intricate knowledge of service management on the Windows platform. AD FS on a Windows Server 2012 R2 does work, however we have not tested other versions.

Please keep in mind that the following instructions are given as an example, and may differ from what is required in your particular situation.
  1. On your Windows Server, open a Microsoft Management Console (mmc.exe) and add the AD FS administration tool snap-in. Click on Add Relying Party Trust…
     
    Example app before

  2. Click on Start.
     
    Add Relying Party Trust Welcome

  3. Select the radio button Enter data about the relying party manually and press Next.
     
    Add Relying Party Trust Select Data Source

  4. Enter your application name and press Next.
     
    Add Relying Party Trust Specify Display Name

  5. Select AD FS Profile and press Next.
     
    Add Relying Party Trust Choose Profile

  6. Optionally, select an encryption certificate and press Next.
     
    Add Relying Party Trust Configure Certificate

  7. Enter the URL where AD FS needs to send the claims and press Next.
     
        https://YOUR SITE URL/saml/saml_login_response
     
    Add Relying Party Trust Configure URL

  8. Enter the URL of the relying party trust identifier and press Add.
     
        https://YOUR SITE URL/saml/metadata
     
    Add Relying Party Trust Configure Identifiers Enter

  9. Press Next.  
    Add Relying Party Trust Configure Identifiers Add

  10. Optionally, configure the Multi-factor Authentication (MFA) and press Next.
     
    Add Relying Party Trust MFA

  11. Configure the issuance authorization rules and press Next.
     
    Add Relying Party Trust Authorization Rules

  12. Review the new configuration and press Next.
     
    Add Relying Party Trust Review Infos

  13. Finish and proceed to edit the claim rules.
     
    Add Relying Party Trust Finish

  14. In the Claim Rules editor, click Add Rule….
     
    Edit Claim Rules Empty

  15. Select Transform an Incoming Claim and press Next.
     
    Edit Claim Rules Add Rule Transform Incoming Claim

  16. Enter the rule name (e.g., NameId), select the claim type Windows account name, set the outgoing claim type to Name ID, and select the ID Format Transient Identifier. Then click Finish.
     
    Edit Claim Rules Add Name ID

  17. Back in the Claim Rules editor, click Add Rule….
     
    Edit Claim Rules Name ID

  18. Select Send LDAP Attributes as Claims and press Next.
     
    Edit Claim Rules Add Rule Send LDAP Attributes As Claims

  19. Enter the rule name (e.g., User Informations), select the attribute store Active Directory, and add mappings for Given-Name, Surname and E-Mail-Addesses respectively to firstname, lastname, and email. Then click Finish.
     
    Edit Claim Rules Add User Information

  20. Back in the Claim Rules editor, click Add Rule… one last time.
     
    Edit Claim Rules User Information

  21. Select Send Claims Using a Custom Rule and press Next.
     
    Edit Claim Rules Add Rule Send Claims Using Custom Rule

  22. Enter the rule name (e.g., access), and enter the custom rule:
        => issue(Type = "access", Value = "true");
     
    In this example, we allow access to Shotgun to everyone. You will likely want a different rule.
     
    Then click Finish.
     
    Edit Claim Rules Add Access

  23. With these claims, the minimal amount of information required by Shotgun is present. Click on OK.
     
    Edit Claim Rules Access

  24. You are now able to test your SSO setup on Shotgun. Please note that we have left out the groups claim as it requires organization-specific information to configure the custom rules.
     
    Example App Final

  25. Provide the SSO configuration to your Shotgun Administrators. Usually these will look something like this:
        SAML 2.0 Endpoint (HTTPS): https://YOUR_ADFS_SERVER/adfs/ls
        Identity Provider Issuer: https://YOUR_ADFS_SERVER/adfs/services/trust
     
    For the public certificate, you can download the Federation Metadata at:
        https://YOUR_ADFS_SERVER/FederationMetada/2007-06/FederationMetadata.xml
    You will need to extract from the XML file:
        Public Certificate: X509Certificate from the ds:Signature section.

 

Follow