Skip to main content

How to configure Short.io SSO via AD FS

View as Markdown

Short.io supports Single Sign-On (SSO) integration with AD FS (Active Directory Federation Services) which is a service provided by Microsoft as a standard role for Windows Server that allows a web login using existing Active Directory credentials.

Note

SSO is available on the Enterprise Plan.

Before you begin

You need to create a Team in Short.io before setting up SSO. Follow the instructions in this article.

Requirements

  • A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions

  • A SSL certificate to sign your AD FS login page and the fingerprint for that certificate

  • An Active Directory instance where all users have an email address attribute

  • Short.io Enterprise account

After you meet these basic requirements, you need to install AD FS on your server. Configuring and installing AD FS is beyond the scope of this guide, but is detailed in a Microsoft KB article.

When you have a fully installed AD FS installation, note down the value for the SAML 2.0/W-Federation URL in the AD FS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.

AD FS settings

Adding a Relying Party Trust

To create the connection between AD FS and Short.io you need to define a Relying Party Trust (RPT) as follows:

  1. Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust:

    Add Relying Party Trust Wizard welcome screen with Start button

  2. In the Select Data Source screen, select the last option - Enter Data About the Party Manually:

    Select Data Source screen with Enter data about the party manually option selected

  3. On the next screen, enter a Display name and optionally add notes:

    Specify Display Name screen with display name and notes fields

  4. On the next screen select the AD FS profile option:

    Choose Profile screen with AD FS profile option selected

  5. On the next screen, leave the certificate settings at their defaults:

    Configure Certificate screen with default empty certificate settings

  6. On the next screen, select the optio Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://yourshort.domain/adfs/ls replacing yourshort.domain with your Short.io domain. Note that there is no trailing slash at the end of the URL:

    Configure URL screen with SAML 2.0 WebSSO protocol enabled and service URL entered

  7. On the next screen, add a Relying party trust identifier of yourshort.domain, replacing yourshort.domain with your Short.io domain:

    Configure Identifiers screen with relying party trust identifier added

    Note

    If you enter yourshort.domain, and receive a request failure error, you may need to enter your subdomain as https://yourshort.domain.

  8. On the next screen, you may configure multi-factor authentication:

    Multi-factor authentication configuration screen with default settings

  9. On the next screen, select the option Permit all users to access this relying party:

    Issuance Authorization Rules with Permit all users option selected

  10. On the next two screens, the wizard will display an overview of your settings. On the final screen click on Close to exit and open the Claim Rules editor:

    Wizard finish screen with Edit Claim Rules dialog checkbox selected

Creating claim rules

Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard.

Edit Claim Rules dialog with empty Issuance Transform Rules list

To create a new rule:

  1. Click on Add Rule. Create a Send LDAP Attributes as Claims rule:

    Claim Rule Template selection with Send LDAP Attributes as Claims selected

  2. On the next screen, using Active Directory as your attribute store, do the following:

    • from the LDAP Attribute column, select E-Mail Addresses

    • from the Outgoing Claim Type, select E-Mail Address

      LDAP Email rule mapping E-Mail-Addresses attribute to E-Mail Address claim type

  3. Click on OK to save the new rule.

  4. Create another new rule by clicking on Add Rule, this time selecting Transform an Incoming Claim as template:

    Claim Rule Template selection with Transform an Incoming Claim selected

  5. On the next screen select:

    • E-mail Address as Incoming Claim Type

    • Name ID as Outgoing Claim Type

    • Email as Outgoing Name ID Format

      Email Transform rule with E-Mail Address as incoming and Name ID as outgoing claim type

  6. Click on OK to create the claim rule, and then again on OK in the last screen.

Adjusting the trust settings

For the final steps of your relying party trust settings select Properties from the Actions sidebar while you have the RPT selected. Proceed as follows:

  1. In the Advanced tab, make sure SHA-256 is specified as the secure hash algorithm:

    AD FS Advanced tab with Secure hash algorithm set to SHA-256

  2. In the Endpoints tab, click on add SAML to add a new endpoint.

  3. Select SAML Logout as Endpoint type.

  4. Choose POST as Binding.

  5. For the Trusted URL, create a URL using:

    • the web address of your AD FS server

    • the AD FS SAML endpoint you noted earlier

    • the string '?wa=wsignout1.0'. The URL should look similar to: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0

    Edit Endpoint dialog with SAML Logout type and POST binding configured

  6. Confirm you changes by clicking OK on the endpoint and the RPT properties. You should now have a working RPT for Short.io.

Note

Your instance of AD FS may have security settings in place that require all Federation Services Properties to be filled out and published in the metadata. Check with your team to see if this applies in your instance. If so, be sure to check the Publish organization information in federation metadata box.

Short.io settings

After setting up AD FS, you need to configure your Short.io account to authenticate using SAML. You will use your full AD FS server URL with the SAML endpoint as the SSO URL, and the login endpoint you created as the logout URL. The fingerprint will be the one of the token signing certificate installed in your AD FS instance.

You can get the fingerprint by running the following PowerShell command on the system with the installed certificate:

C:\> Get-AdfsCertificate

Use the SHA256 thumbprint of the Token-Signing type certificate.

Follow the instructions below:

  1. Sign in to your Short.io account.

  2. Navigate to the Settings and click on Teams:

    Short.io Settings sidebar with Teams and SAML configuration highlighted

  3. Click on your team and then click SAML Configuration.

  4. In the next screen:

    • enable the SAML configuration:

      SAML configuration section with Config enabled toggle

    • enter the name of your company in the SSO configuration field:

      SSO configuration name field highlighted with YourCompanyName entered

    • paste the Trusted URL (which you applied in the relying party trust settings) into the Entry point URL field:

      Entry Point URL field with AD FS sign-out endpoint

    • open the certificate which you downloaded in a text editor, copy and paste the content of the certificate into the Public certificate field:

      Public certificate field highlighted with X509 certificate content pasted

    • you can specify whether or not the SSO is required for All members of the team or is Optional:

      SSO requirement options for the team with All members and Optional choices

    • expand the Advanced options and paste the web address of your AD FS server combined with the AD FS SAML endpoint (from the relying party trust settings) into the Service provider issuer field:

      Advanced options with Service provider issuer field highlighted containing AD FS endpoint URL

    • you can determine if a profile should be updated each time the user logs in,

      and if the users are allowed to chose their own display name:

      SSO settings with profile update and display name options

    • you can change the appearance of the Sign in button by adding a custom label:

      Custom label field set to Sign in to Short.io with Save button

  5. Click on Save to confirm.

You can now use the Single Sign-On with Short.io.

Note

The Short.io team configures SSO within 24 hours.

In case you need further assistance, please contact the Short.io support team at support@short.io.