This step-by-step guide to assist in the configuration of ADFS 3.0 and Gorilla Expense to provide Single Sign on
Pre Requisites
- ADFS 3.0 Infrastructure
- ADFS Administrative Access
- Gorilla Expense SSO Login URL -> Confirm from Gorilla Expense (Default value https://www.gorillaexpense.info/gorillapro/web/user/logonSSOACS
Exporting the ADFS Token Signing Certificate
In order for the 3rd party online service to trust your Active Directory Federation Service and the authentication token provided to them you must provide them with the Token signing certificate applied to your Federation Service endpoint, you can export the Token signing certificate by following the steps below.
- Open “Server Manager” and under the “Tools” section select “AD FS Management”
- Wait for the AD FS Management page to load and expand the “Service” folder and then select the “Certificates” folder
- Locate and right select the “Token-signing” certificate, and select “View Certificate”
- On the Certificate popup, select the “Details” tab and check the signature hash algorithm. Make sure if it is sha1. If it is sha256, assign new “token signing” certificate with sha1 signature hash algorithm. Then come back to View Certificate->Details->select “Copy to File”
- On the “Welcome to the Certificate Export Wizard” select “Next”
- On the “Certificate Export Wizard” page select “Do Not Export Private Key”, then on the next screen select “DER encoded binary X.509 (.CER)” for the format
Note: The Token signing certificate is a self-signed certificate any amendments to the certificate and or expiry will mean that the certificate will require exporting and re-assigning
- Specify a path and name for the exported file and select “Next”,
- Select “Finish”
- Gorilla expense requires that this certificate be in PEM format. You can convert this certificate using client tools or even online tools such as: SSL Shopper. Use the DER/Binary certificate we just created and export it to Standard PEM format. Provide this .crt file to Gorilla Expense
Configuring the Relying Party in Active Directory Federation Services
To create a relying party trust using federation metadata follow the steps below
- Open the ADFS Management console and select Relying Party Trusts.
- Select Add Relying Party Trust… from the top right corner of the window
- The add wizard appears. Click on start
- Select Option Enter data about relying party manually
- On the next Window, Enter Display Name as Gorilla Expense
- Click next till you reach Configure URL screen. On this screen, select SAML SSO option and enter SSO login URL provided by Gorilla Expense (Mentioned in the Pre-Requisites section)
- Click next. On the Configure Identifiers screen add https://www.gorillaexpense.info/gorillapro/web/user/trust (replace www.gorillaexpense.info with your domain name if hosting Gorilla Expense on-premise)
- Click next till you reach the finish screen and then click close. On clicking close the “Edit Claim Rules” window will show up
- You have to add two rules on this window
- Send LDAP Attribute as Claim
- Transform An Incoming Claim
- Click on Add Rule to add the first rule and select Send LDAP Attribute as Claims as the claim rule template to use.
- Give the claim a name such as Get LDAP Attributes.
- Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
- Select Finish.
- Select Add Rule to add the second rule
- Select Transform an Incoming Claim as the claim rule template to use.
- Give it a name such as Email to Name ID.
- Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID and the Outgoing name ID format is Email. Pass through all claim values and click Finish
- On clicking finish, you should see the two rules added
- Select the first and then the second rule and click Edit Rule button and then click View Rule Language…
- The rules should match the following:
Rule #1:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
Rule #2:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Summary for Settings
Listed below is the information required to configure Gorilla Expense to use ADFS as the identity provider
Login Redirect URL | |
Logout Redirect URL | |
Timeout Redirect URL | |
Token Certificate Singing Algorithm | SHA1 |
Relying Party Trust Identifier | https://www.gorillaexpense.info/gorillapro/web/user/trust (replace www.gorillaexpense.info with your domain name if hosting Gorilla Expense on-premise) |
Mobile Redirect URL | https://adfsendpoint.domain.com /adfs/ls/idpinitiatedSignon.aspx?loginToRp=https://<GorillaExpenseMobileSSOURL> |