Learn how to connect Meisterplan with Active Directory Federation Services (ADFS) to enable SSO via SAML 2.0.
- Adding a Relying Party Trust in ADFS
- Entering Identity Provider Data in Meisterplan
- Adding Users in Meisterplan
- Logging in to Meisterplan via ADFS
Adding a Relying Party Trust in ADFS
First, you need to add a new Relying Party Trust for Meisterplan in ADFS. For this you will use the XML file containing the Service Provider Data, which can be downloaded from Meisterplan.
Step 1: Open the SAML configuration in Meisterplan under Manage > Users > Configure > SAML. If you don't initially see any data, click on Enable SAML.
Step 2: Click on Download Metadata XML File in order to save the XML file.
Step 3: Add a new Relying Party Trust in ADFS as described by Microsoft. In the Select Data Source step, select Import data about the relying party from a file, click on Browse... then select the location of the XML file downloaded in Step 2:
Click on Next.
Step 4: Complete the Relying Party Trust setup as described by Microsoft. In the last step, make sure to select Configure claims issuance policy for this application before clicking on Close:
Step 5: Add a new "Transform Claim" rule by clicking Add Rule:
Step 6: Depending on your ADFS setup, select a template for this rule. Below is an example of the template that is used for authentication via Active Directory ("AD based authentication"):
Step 7: Configure the rule depending on your ADFS setup. Below is an example of authentication via Active Directory ("AD based authentication"):
In the example, LDAP attributes are mapped to SAML fields. Under LDAP Attribute on the left, select the attribute that corresponds to the Meisterplan username (i.e., "email@example.com" or "janet"), and under Outgoing Claim Type on the right, select the SAML field NameID.
Confirm by clicking Finish and then OK.
Step 8: Open the properties of the Relying Party Trust by right-clicking on it and selecting Properties:
Step 9: Select the Endpoints tab and click on Add SAML:
Step 10: Under Trusted URL, enter a URL according to the scheme <yourdomain>/adfs/ls/?wa=wsignout1.0:
Entering a Response URL is optional. Users will be forwarded to this URL after logging out.
Click OK to confirm.
Entering Identity Provider Data in Meisterplan
Now you can enter the identity provider data provided by ADFS into Meisterplan.
Step 1: In ADFS, under Certificates > Token-signing, open the new certificate, switch to the Details tab, and click Copy to File:
Step 2: Follow the steps in the Export Wizard. In the Export File Format step, select Base-64 encoded X.509 (.CER). Save the file.
Step 3: Open the file with your desired text editor (e.g. Notepad), copy the content and paste it into the Meisterplan SAML configuration in the Identity Provider X.509 Certificate field. Enter the Identity Provider Entity ID, the SSO URL and the SLO URL in the corresponding fields in Meisterplan according to the following scheme:
- Identity Provider Entity ID: <yourdomain>/adfs/services/trust
- SSO URL: <yourdomain>/adfs/ls
- SLO URL: <yourdomain>/adfs/ls/?wa=wsignout1.0
When finished, click Apply.
Adding Users in Meisterplan
All users logging in to Meisterplan via ADFS will need to create corresponding user accounts in Meisterplan. Auto-provisioning users is not supported in ADFS.
Users are added in Meisterplan under Manage > Users, and user rights are configured under Manage > User Groups. For more details on user management in Meisterplan, see the articles Manage Users and Manage User Groups.
Logging in to Meisterplan via ADFS
To log in to Meisterplan as a user via ADFS, enter a URL according to the scheme https://us.meisterplan.com/<yoursystem>. This will redirect you to the registration page of ADFS.
Administrators can still log in to Meisterplan via a URL according to the scheme https://us.meisterplan.com even without Single Sign-On.
For additional details on logging in via SSO, see the article Login.