This guide explains how to set up Microsoft Active Directory Federation Services (AD FS) as an SAML IdP using Split's SAML 2.0 API, allowing users to log in to Split using their single sign-on (SSO) credentials. Learn more about configuring SAML in Split.
If you are a Split administrator, you can configure SAML in the Security section of Admin Settings.
- Go to Admin Settings > Security > SAML.
- Add your IdP metadata to the text area.
- Enable/disable SAML strict mode.
- Enable/disable just-in-time user provisioning.
- Click Save.
When you save these changes, you can view the summary of the SAML configuration parameters. You use these settings in Okta.
Add relying trust party
- Open the AD FS management console by going to the Server Manager console and selecting AD FS Management from the Tools list (on the right).
- Click Required: Add a trusted relying party.
- A walk-through opens to assist you in adding a new relying party trust to the AD FS configuration database. Read the instructions and click Next.
- Select Import data about the relying part from a file.
- Click Browse to select the metadata file then click Next.
- Provide a display name for the Trust, for example, Split, and then click Next.
- Select Permit all users to access this relying party, and then click Next.
- Review the settings, and then click Next.
- Click Close. This saves the trust and opens the Edit Claim Rules.
We recommend two claim rules for brokering the SAML assertions. Follow the steps below to configure.
- Click Add Rule.
Select Send LDAP Attributes as Claims, and then click Next.
Configure the rule as follows. When all settings are configured, click Finish.
- Set the Claim rule name as NameID.
- Set the Attribute store as Active Directory.
- Set the LDAP Attribute as User-Principle-Name.
- Set the Outgoing Claim Type as E-Mail Address.
- Add the second rule by clicking Add Rule.
- Select Transform an Incoming Claim, and then click Next.
- Configure the rule as follows. When all settings are configured, click Finish.
- Set the Claim rule name as Email Claim.
- Set the Incoming claim type as E-Mail Address.
- Set the Outgoing claim type as Name ID.
- Set the Outgoing name ID format as Email.
- Right-click the properties of the relying party trust and select the Advanced tab.
17.Select SHA-1 for the Secure hash algorithm, and then click Apply.
Split is now set up with AD FS.