Axero supports Microsoft Active Directory Federation Services (ADFS) / SAML 2.0 single sign-on (SSO). This page covers information about ADFS / SAML 2.0 SSO, walks you through configuring ADFS / SAML 2.0 SSO on your intranet, and provides solutions to common issues. For more information or assistance from the Axero team, submit a private case.
Upon visiting your intranet, users will be redirected to your organization's login page.
Logging in with Axero credentials
You can allow users to log in using Axero credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Axero login page. Users can either log in with Axero credentials or click Login via SAML to sign in using ADFS/SAML credentials.
Session expiration
By default, the session expires 30 days from the date of login. You can control when the session expires using System Properties > FormsAuthPersistentCookieTimeOutInMinutes. By default, this value is set to 43200, which is 30 days.When the property MakePermanentCookieForThirdPartyLogin is set to true, a cookie is generated for the user that expires based on the value found in FormsAuthPersistentCookieTimeOutInMinutes. If MakePermanentCookieForThirdPartyLogin is set to false, the user will be logged out when the browser is closed.
Return to top
After entering the site URL on the mobile app, users will be redirected to your organization's login page.
Logging in to the app with Axero credentials
You can allow users to log in to the app using Axero credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Axero login page after entering the site URL. Users can either log in with Axero credentials or click Active Directory Login to sign in using ADFS/SAML credentials.
Axero creates a user when the user logs in for the first time. However, you can add users to Axero before they log in using the methods below.
Bulk import users
Pre-populate users with Bulk Import Users before ADFS/SAML setup or launch. The Axero usernames you create must match those in Active Directory.
Add users
You can add users in Control Panel > People > Manage People > Add User. The Axero username you create must match the username in Active Directory.
REST API
You can use our REST API to import users.
Adding administrator accounts
If Axero administrator accounts are created before Active Directory is set up and the Axero usernames match Active Directory usernames, the administrator accounts will sync with the corresponding Active Directory accounts. If not, you must re-configure permissions for the admin Active Directory accounts and remove the previous Axero administrator accounts.
Any data can be imported from Active Directory if there are corresponding User Profile Fields in Axero. Attribute mappings must be added to Control Panel > System > SAML Single Sign On > Mapping. Enter the outgoing claim type as the property name in Axero. See the table below for common fields to import.
Note: The department field in Axero is a Picklist Field. When departments are imported from ADFS, they are created as new options in the picklist field.
You can also use SQL or our REST API to import user data into Axero.
User data, such as name, address, state, etc., is updated in Axero every time a user logs in. However, user data is not updated if the user checks "Remember Me" on the login page or if System Properties > EnableAutoLoginViaSaml is set to true.
When a user is disabled in Active Directory, this information is not sent to Axero. You can Delete User and their content or re-assign their content to another user or the system anonymous user. You can also Ban User, which will prevent the user from logging in but retain their content.
This guide walks you through how to enable ADFS single sign-on in Axero. Client-side setup is estimated to take 2 hours, and Axero team setup will take 1 to 2 hours. The time to set up SSO can vary based on how long it takes to set up internal systems and provide the Axero team with the required information. The total time for setting up SSO may take up to 1-2 business days.
Once you complete the guide, ADFS SSO will be active on your intranet. If you run into any issues, submit a case here for assistance.
Note: The Service provider (your Axero site) and Identity provider (ADFS) must run on HTTPS.
On the Welcome page, choose Claims aware and click Start.Note: If you don't see the Claims Aware section, click Start directly.
Click Add Rule
...
More properties:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN"), query = ";Manager;{0}", param = c.Value);
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]&& c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ManagerDN"]=> issue(store = "Active Directory", types = ("Manager"), query = "(distinguishedName={1});samaccountname;{0}", param = c1.Value, param = c2.Value);
In the ADFS management console:
In Power Shell:
Run the following command:
Set-ADFSRelyingPartyTrust -TargetName <RelyingPartyTrustName> -SamlResponseSignature MessageAndAssertion
Replace <RelyingPartyTrustName> with your Relying Party Trust name. You can find your Relying Party Trust name in the Relying Party Trusts section of the ADFS management console.
Identity Provider Configuration
If you have installed ADFS properly, the following URL should give you a valid response in XML format: https://win-chqnt9vspbj.adfs.test/FederationMetadata/2007-06/FederationMetadata.xml(Replace https://win-chqnt9vspbj.adfs.test with your Identify Provider.)
To get the URL of your identity provider, go to the ADFS console and click Edit Federation Service Properties.
Now restart the server.
Next, you need to collect the following three values from ADFS FederationMetadata xml https://<adfsdomain>/FederationMetadata/2007-06/FederationMetadata.xml
In the image below, the highlighted portion is the Partner IDP.
Following is the value for "SingleSignOnServiceUrl" and "SingleLogoutServiceUrl" from that XML:
Those three values must be entered in Axero in Control Panel > System > Single Sign On > SAML. (See the Configure Axero section.)
Setup Confirmation
If your setup was done correctly, you will see the page below at https://WIN-CHQNT9VSPBJ.adfs.test/adfs/ls/. (Replace https://WIN-CHQNT9VSPBJ.adfs.test with your Identify Provider.)
If you don't see the page above, check your Windows Event Logs.
If you want to enable the SAML trace, add the following code in web.config:
<system.diagnostics> <trace autoflush="true"> <listeners> <add name="TextWriter"/> </listeners> </trace> <sources> <source name="ComponentSpace.SAML2" switchValue="Verbose"> <listeners> <add name="TextWriter"/> </listeners> </source> </sources> <sharedListeners> <!-- Ensure IIS has create/write file permissions for the log folder. --> <add name="TextWriter" type="System.Diagnostics.TextWriterTraceListener" initializeData="d:\logs\adfs-log.log"/> </sharedListeners> </system.diagnostics>
The above trace will help you to diagnose an error if it originates from the ADFS setup. initializeData is the path where logs will be written. Ensure the path you specify has write access to your web application.
Check that the server where ADFS is installed has the time set correctly. Incorrect server time can cause ADFS to malfunction.
SAML SSO and auto-login are now enabled.
How to disable SSO auto login
To disable SSO auto login, go to Control Panel > System > System Properties and set EnableAutoLoginViaSaml to false.
How to configure attribute mappings
In Control Panel > System > Single Sign On, click on the Data Mapping tab. Then select SAML in the Type menu. If you added more than the basic set of properties, you can add those here.
Advanced Configuration
When a user logs in using SAML, Axero synchronizes user data with the Single Sign-On (SSO) system. This process is automatic by default. You have the flexibility to customize this integration by adjusting system properties:
This property determines if SAML should create a new user automatically when a matching one isn't found during login. If the property is true, the system will automatically create a new user. Setting the property to false ensures that user accounts are not automatically created during SAML logins, providing a controlled approach to user management.
This option determines whether Axero will verify if the user logging in via SAML has a matching email address for the user with the same username. By setting the property to true, Axero will enforce the verification step. This added layer of security helps in scenarios where precise user validation is crucial. This verification step will be skipped when this property is set to false.
This property controls whether Axero will automatically update user data from the SSO system. By default, it is set to true, allowing automatic updates, which ensures the user information is up-to-date. To prevent automatic updates, set the property to false.
You can sync user roles from ADFS to Axero with the help of rules defined in ADFS.
Configure a custom rule
Another way to sync user roles is with Send Claims Using a Custom Rule as the rule template. This approach allows you to set a condition, and when it is true, it will issue a claim and return to the Relying party (Axero).
Claim rule language is used to define the rule. See this guide for information about claim rule language.
Example claim rule:
Notes:
Assign Users to Spaces According to their Roles
Once roles are synced with Axero, you can use User Space Assignment Rules to add users to specific spaces based on their roles.
Admins can enable tracking for SSO login and logout activities using the SAMLTrackingHours system property.
Navigate to Control Panel > System > System Properties.
Set the SAMLTrackingHours property to a value above 0 to enable SSO tracking. This value specifies the number of hours that login and logout activities will be logged. The property automatically resets to 0 after the specified number of hours.
Archiving: SSO log data can be managed through Log Archive Settings to ensure efficient storage
"The SAML encryption isn't encrypted."
Please check that the encryption certificate is configured in the Relying Party Trust.
"No AssertionConsumerService is configured on the relying party trust 'urn:abc:xyz' that is a prefix match of the AssertionConsumerService URL 'http://yourwesbite/SAML/AssertionConsumerService.aspx' specified by the request."
Check urn and AssertionConsumerService in both ADFS management and Axero.
On login: "Error creating your Active Directory account. Please contact your Site Administrator." In the exception log: "No attributes returned from Active directory. Please go to 'Active Directory Users and Computers' on ADFS Server, select the 'user@xyz.com' user, go to 'Account' tab, and check the 'User logon name' information that is present there."
The attributes could be empty in Active Directory for that user:
Error on ADFS login page:"Exception details: Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://yourcommunity/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details."Solution: The name in the urn field in ADFS relying on partner trust and Axero should match.ADFS setting screenshot:In Axero, check Control Panel > System > Single Sign On > SAML > Relying Party Trust Identifier.
Users can log in via ADFS/SAML using Chrome and Firefox, but not Internet Explorer.
Make sure that the SPN is configured properly for your ADFS service account. A service principal name (SPN) is a name that uniquely identifies an instance of a service. An SPN should be registered for your ADFS service account. To verify this, refer to the following instructions:
"Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)"
Ensure the following two properties have the https protocol you added in the ADFS configuration.
SingleSignOnServiceUrl="https://qaadfs.communifire.com/adfs/ls/"SingleLogoutServiceUrl="https://qaadfs.communifire.com/adfs/ls/"
"SAML authentication error: No attributes returned from Active directory."
Go to 'Active Directory Users and Computers' on ADFS Server, select the 'Administrator@adqa.communifire.com' user, go to the 'Account' tab, and the heck, the 'User logon name' information is present there.
Go to the AD controller, edit the user's login name, and enter a valid value.
"There is no SAML configuration."
Enable the SAML trace log by adding a diagnostic element (as described in the Configure ADFS section), and then check the error in the logs. The certificate path may be wrong or there may be duplicate certificate locations in both the Partner and Service provider.
"There is no such relying partner."
Ensure the Relying Partner Trust Identifier in Axero and ADFS management console match.
The identity provider doesn't allow the response to be signed.
Set WantSAMLResponseSigned to false in SAML config.
Make sure the domain name is entered in "Relying Party Identifiers" instead of urn:domain.
No AssertionConsumerService is configured on the relying party trust 'microsoft:identityserver:xxxxxxxxxxxxxxxxxxxx' that is a prefix match of the AssertionConsumerService URL
Make sure that the relying party trust identifier has the "SAML Assertion Consumer" Endpoint as https://{domain}/SAML/AssertionConsumerService.aspx
Example: https://myintranet.axero.com/SAML/AssertionConsumerService.aspx
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/communifire-documentation/wiki/view/2207/adfs-saml-2-0-sso
Your session has expired. You are being logged out.