Skip to main content

 

Planview Customer Success Center

Setting up SSO for Microsoft ADFS

ADFS Replying Party Claim Rules

           

NOTE

The following article applies to organiations that use Microsoft Active Directory Federation Services (ADFS) as their Single Sign-On provider. If using ADFS, please follow the below steps when setting up SSO within Planview ID.

           

Planview ID requires the Planview ID email address to be sent in the Planview ID namefield of the SAML Subject. This process assumes you're using the email address LDAP attribute as your Planview ID username and configures ADFS to send it as the NameId:

  1. Right-click on the Relying Party and select Edit Claim Rules….
  2. On the Issuance Transform Rules tab select Add Rules….
  3. Select Send LDAP Attribute as Claims as the claim rule template to use.
  4. Give the Claim a name such as Get LDAP Attributes.
  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to Name ID.
  6. Select Finish.
  7. Select Add Rule….
  8. Select Transform an Incoming Claim as the claim rule template to use.
  9. Give it a name such as Email to Name ID.

Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID and the Outgoing name ID format is Email. Pass through all claim values and click Finish.

10. If you edit the existing rule and click View Rule Language…, they should match the following:

Rule #1:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory",

types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),

query = ";mail;{0}", param = c.Value);

Rule #2:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]

= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");