Skip to main content
Planview Customer Success Center

Installing SSO using SAML for ADFS implementations (HTTPS required)

(Draft - to be confirmed)

Pre-installation steps for SSO

Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO).

Collect configuration parameters

Determine the values for the following items, which will be used as replacement parameters during configuration.

Note: Ensure that the SAML_Indentity_Provider is in the Intranet zone of the end-user's browser.

 

Parameter

Description

Enterprise_URI

The domain identifier that you use for Changepoint, for example:

https://changepoint.abc.corp

Enterprise_Path

The location of the web application files.

Default: <cp_root>\Enterprise\

ReportDesigner_URI

The domain identifier that you use for Report Designer, for example:

https://reportdesigner.abc.corp

ReportDesigner_Path

The location of the Report Designer web application files.

Default: <cp_root>\ReportDesigner\

Changepoint_RSA_Cookie_Transform

The name of the certificate that you use for Cookie encryption.

Default: the "CN=ChangepointCookieCertificate" Certificate Name

Enterprise_SigningCertificate_Name

This is the name of the certificate that you use for signing messages.

Default: the "CN=ChangepointSigningCertificate" Certificate Name

Enterprise_SigningCertificate_Thumbprint

The thumbprint of the certificate that you use for signing messages.

Default: "78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5"

SAML_Identity_Provider

The SAML Identity Provider URI, for example:

https://adfsserver/adfs/ls/

SAML_Identity_Provider_Type

The type of the SAML Identity Provider:

ADFS20

SAML_Issuer

The SAML Issuer required by the IDP.

Leave blank.

SAML_Identity_Provider_Signing_Key

This is the SAML Identity Provider Signing Key required by the IDP.

Leave blank.

ClaimType

Enter the SSO Claim Type.

Default: http://schemas.xmlsoap.org/ws/2005/0...ity/claims/upn

Create application

  1. In IIS, under Enterprise, convert the RP-STS_SAML folder to an application:
    • Alias name: RP-STS_SAML
    • Physical path: \<cp_root>\Enterprise\RP-STS_SAML
    • Authentication: Anonymous and Forms Authentication
    • Application pool: Application Pool
  2. Add Default.aspx to the Default Documents for the application.

Execute configuration scripts

Using the information collected from stage 1 modify the configuration of the websites

  1. Open a PowerShell prompt.

    Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.

  2. Navigate to the configuration directory, default:

    <cp_common>\Configuration\Enterprise

  3. Execute:

    ./Configuration_SSO_SAML.ps1

  4. Follow the prompts.

Create relying party trust

  1. On the ADFS server, launch the ADFS 2.0 console
  2. Action > Add Relying Party Trust.
  3. Click Start.
  4. Select Enter data about the relying party manually, then click Next.
  5. Enter a Display name, for example, RP-STS_SAML, and then click Next.
  6. Select "ADFS 2.0 profile" and click Next, then Next.
  7. Select Enable support for the SAML 2.0 WEBSSO protocol and enter the Relying party SAML 2.0 SSO service URL:

    https://Enterprise_URI/RP-STS_SAML/

    Replace Enterprise_URI with the domain identifier for Changepoint.

  8. Click Next.
  9. Add a Relying party trust identifier.

    https://Enterprise_URI/RP-STS_SAML/

    Replace Enterprise_URI with the domain identifier for Changepoint.

  10. Click Next, Next, Next, then Close.
  11. Add a Claim Rule for the above Relying Party. For Changepoint, the default Claim rule name is "UPN".
    1. SelectClaim rule template
    2. "Send LDAP Attributes as Claims".
    3. SelectAttribute store
  12. Map the LDAP Attribute "User-Principal-Name" to Outgoing Claim Type "UPN".
  13. Specify that the Secure Hash Algorithm for this Relying Party Trust uses 'SHA-256':
    1. Double-click the newly created relying party and select the Advanced tab.
    2. Select the SHA-256 secure hash algorithm.
    3. Click OK.

Increase security token lifetime

Increase the value of TokenLifetime property for the above relying party object to prevent user from getting a popup message and having to re-launch the session when the security token using ADFS 2.0 expires. The default lifetime of a security token using ADFS 2.0 is 60 minutes.

Set the default lifetime of a security token to 8 hours (480 minutes):

  1. On the ADFS server, open a Windows PowerShell prompt.
  2. Add the ADFS 2.0 snap-in:

    Add-PSSnapin Microsoft.Adfs.PowerShell

  3. Display the relying party TokenLifetime:

    Get-ADFSRelyingPartyTrust -Name "relying_party"

    where "relying_party" is the display name from "Create relying party trust" above.

  4. Set the TokenLifetime value to 480 minutes:

    Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480

  5. Set the signing certificate revocation check to none:

    Set-ADFSRelyingPartyTrust -Targetname "relying-party" -SigningCertificateRevocationCheck none

  6. Set the encryption certificate revocation check to none:

    Set-ADFSRelyingPartyTrust -Targetname "relying-party"-EncryptionCertificateRevocationCheck none

Encrypt messages from identity provider (optional)

  1. Determine the actual values for the following items. These will be used as replacement parameters during configuration.
    • Enterprise_EncryptingCertificate_Name – The name of the certificate that you use for signing messages. Default: the "CN=ChangepointSigningCertificate" Certificate.
  2. Edit \RP-STS_SAML\Web.config.

    Replace Enterprise_EncryptingCertificate_Name with the actual value.

  3. Specify the Encrypting Certificate used for this Relying Party Trust:
    1. Copy ChangepointSigningCertificate.cer from the Changepoint configuration directory to a local folder on the SAML Provider Server.
    2. Double-click the newly created relying party and select the Encryption tab.
    3. Click the Browse button and select the certificate that you copied above.
    4. Click OK.