Version: 7.0

SSO configuration with AD FS

danger

Before configuring SSO, make sure that the APP_URL parameter in config.env matches the current Passwork domain, example — APP_URL=https://passwork.example.com

The following server names are used as examples:

Provider (IDP) — ad-fs.passwork.local
Passwork server (SP) — passwork.example.com

Adding a Relying Party Trust

Open — Server Manager → Tools → AD FS Management → Relying Party Trusts → Actions:

Example of creating a Passwork application

Perform the steps in the — Add Relying Party Trust Wizard:

Claims aware;
Enter data about the relying party manually;
Fill in the Display name (example: passwork-sp);
Skip the step — Configure Certificate, click Next;
At the Configure URL step:
1. Enable support for the SAML 2.0 WebSSO protocol;
2. Copy from Passwork in — Settings and Users → SSO Settings — the Reply URL;
3. Paste into Relying party SAML 2.0 SSO service URL — https://passwork.example.com/api/v1/sso/acs
At the Configure Identifiers step:
1. Copy from Passwork in — Settings and Users → SSO Settings — the Identifier;
2. Paste into Relying party trust identifier — https://passwork.example.com/api/v1/sso/metadata
Skip the step — Choose Access Control Policy, click Next;
Skip the step — Ready to Add Trust, click Next;

Example output of the created trust in PowerShell

PowerShell

Get-ADFSRelyingPartyTrust -Name "passwork-sp" # Command to display

AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy                : False
SigningCertificateRevocationCheck    : CheckChainExcludeRoot
WSFedEndpoint                        :
AdditionalWSFedEndpoint              : {}
ClaimsProviderName                   : {}
ClaimsAccepted                       : {}
EncryptClaims                        : True
Enabled                              : True
EncryptionCertificate                :
Identifier                           : {https://passwork.example.com/api/v1/sso/metadata}
NotBeforeSkew                        : 0
EnableJWT                            : False
AlwaysRequireAuthentication          : False
Notes                                :
OrganizationInfo                     :
ObjectIdentifier                     : 03363cb7-5eef-ef11-b8b3-000c2993a976
ProxyEndpointMappings                : {}
ProxyTrustedEndpoints                : {}
ProtocolProfile                      : WsFed-SAML
RequestSigningCertificate            : {}
EncryptedNameIdRequired              : False
SignedSamlRequestsRequired           : False
SamlEndpoints                        : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature                : AssertionOnly
SignatureAlgorithm                   : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime                        : 0
AllowedClientTypes                   : Public, Confidential
IssueOAuthRefreshTokensTo            : AllDevices
RefreshTokenProtectionEnabled        : True
RequestMFAFromClaimsProviders        : False
ScopeGroupId                         :
ScopeGroupIdentifier                 :
DeviceAuthenticationMethod           :
Name                                 : passwork-sp
AutoUpdateEnabled                    : False
MonitoringEnabled                    : False
MetadataUrl                          :
ConflictWithPublishedPolicy          : False
IssuanceAuthorizationRules           :
IssuanceTransformRules               :
DelegationAuthorizationRules         :
LastPublishedPolicyCheckSuccessful   :
LastUpdateTime                       : 01.01.1900 5:00:00
LastMonitoredTime                    : 01.01.1900 5:00:00
ImpersonationAuthorizationRules      :
AdditionalAuthenticationRules        :
AccessControlPolicyName              : Permit everyone
AccessControlPolicyParameters        :
ResultantPolicy                      : RequireFreshAuthentication:False
                                       IssuanceAuthorizationRules:
                                       {
                                         Permit everyone
                                       }
                                       
Get-ADFSRelyingPartyTrust -Name "passwork-sp" | Select-Object -ExpandProperty SamlEndpoints # Command to display

Binding          : POST
BindingUri       : urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Index            : 0
IsDefault        : False
Location         : https://passwork.example.com/api/v1/sso/acs
Protocol         : SAMLAssertionConsumer
ResponseLocation :                                       

Open the Properties of the created Relying Party Trust:

Open properties of the created application

In Properties, go to Endpoints and perform the following actions:

Add SAML;
Endpoint type — SAML Logout Endpoint;
Binding — Redirect;
Copy from Passwork in — Settings and Users → SSO Settings — the Logout URL;
Paste into Trusted URL — https://passwork.example.com/api/v1/sso/sls
Apply changes and close Properties.

Configuring request processing rules from SP (Passwork) in IDP (AD FS)

danger

Depending on the desired user login format in Passwork, you can configure processing rules so that the user format can be one of the following:

username
[email protected]

Please choose the required user login format in Passwork and configure accordingly.

In Relying Party Trusts, select the created trust (passwork-sp) and open — Edit Claim Issuance Policy:

Configuring processing rules for [email protected] format

Perform the following actions:

Add Rule;
Send LDAP Attributes as Claims;
Claim rule name — AttributeStatement;
Attribute store — Active Directory;
LDAP Attribute — User-Principal-Name;
Outgoing claim type — UPN.

Perform the following actions:

Add Rule;
Transform an Incoming Claim;
Claim rule name — Name ID Format;
Incoming claim type — UPN;
Outgoing claim type — Name ID;
Outgoing name ID format — Transient Identifier.

Example of configuring Name ID claim rule

Configuring processing rules for username format

Perform the following actions:

Add Rule;
Send LDAP Attributes as Claims;
Claim rule name — AttributeStatement;
Attribute store — Active Directory;
LDAP Attribute — SAM-Account-Name;
Outgoing claim type — E-Mail Address;

Perform the following actions:

Add Rule;
Transform an Incoming Claim;
Claim rule name — Name ID Format;
Incoming claim type — E-Mail Address;
Outgoing claim type — Name ID;
Outgoing name ID format — Transient Identifier.

Configuring additional attribute processing rules for passing to SP

Edit the created rule named AttributeStatement:

Pass to SP (Passwork) the Display-Name attribute:
1. LDAP Attribute — Display-Name;
2. Outgoing claim type — enter displayName;
Pass to SP (Passwork) the E-mail-Address attribute:
1. LDAP Attribute — E-Mail-Addresses;
2. Outgoing claim type — enter emailAddress;

Example of adding additional attribute claims

Configuring and filling Single Sign-On (SSO) parameters in Passwork

Filling in the "User Attributes" Values

Log in to the Passwork web interface, go to — Settings and Users → SSO Settings and fill in the attribute mappings:

Email attribute — emailAddress;
Full name attribute — displayName.

Filling in the "Identity Provider → Passwork" Values

Open AD FS Management → select the AD FS directory → Edit Federation Service Properties:

Copy the address — Federation Service Identifier → http://ad-fs.passwork.local/adfs/services/trust:

Open — Settings and Users → SSO Settings and fill in the values:

Identifier (Entity ID) — http://ad-fs.passwork.local/adfs/services/trust
Login URL — https://ad-fs.passwork.local/adfs/ls
Logout URL — https://ad-fs.passwork.local/adfs/ls/?wa=wsignout1.0

Filling in the "Certificate" Value

Open and export the generated SSL certificate in base64 format — AD FS Management → Service → Certificates → Token-signing:

Obtain the AD FS public SSL certificate in base64

Open the exported SSL certificate with Notepad, copy it and paste into the corresponding field — Settings and Users → SSO Settings.

Example of exported key in base64 format

base64

Filling in the "Additional Settings" Value

Paste the following content in JSON format:

json

{
	"sp": {
		"entityId": "https://passwork.example.com/api/v1/sso/metadata",
		"assertionConsumerService": {
			"url": "https://passwork.example.com/api/v1/sso/acs"
		},
		"singleLogoutService": {
			"url": "https://passwork.example.com/api/v1/sso/sls"
		},
		"NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
	}
}

danger

Replace the domain passwork.example.com in the URLs with your Passwork server domain.

Open the login window in the Passwork web interface and log in via SSO to verify the correct configuration:

LLM version

Adding a Relying Party Trust​

Configuring request processing rules from SP (Passwork) in IDP (AD FS)​

Configuring additional attribute processing rules for passing to SP​

Configuring and filling Single Sign-On (SSO) parameters in Passwork​

Filling in the "User Attributes" Values​

Filling in the "Identity Provider → Passwork" Values​

Filling in the "Certificate" Value​

Filling in the "Additional Settings" Value​

Adding a Relying Party Trust

Configuring request processing rules from SP (Passwork) in IDP (AD FS)

Configuring additional attribute processing rules for passing to SP

Configuring and filling Single Sign-On (SSO) parameters in Passwork

Filling in the "User Attributes" Values

Filling in the "Identity Provider → Passwork" Values

Filling in the "Certificate" Value

Filling in the "Additional Settings" Value