Note: We provide basic support for SSO through these articles, but we are unable to offer any further assistance regarding the initial setup on your end. If there are errors, debug logs will need to be provided before we are able to assist.

Note: To view supported SAML claims, click here.

IMPORTANT: Please use Google Chrome and not Internet Explorer, as Internet Explorer may incorrectly present a security warning and you may not be able to save the page.

Configuring SkyPrep with ADFS is a multi-step process, and this article will serve to walk you through the procedure.

First, enable ADFS on your Windows Server.

Next, open the AD FS Management console.

Next, click on Add Relying Party Trust…

This should open the wizard. Click the Start button.

Select Enter data about the relying party manually.

Enter https://[your_skyprep_domain]/saml/consume as the display name

Select AD FS profile

Check Enable support for the SAML 2.0 WebSSO protocol and enter “https://[your_skyprep_domain]/saml/consume”. Then click Next.

Add “https://[your_skyprep_domain]/saml/consume” in the Relying party trust identifiers.

Select I do not want to configure multi-factor authentication settings for this relying party trust at this time.

Select Permit all users to access this relying party.

In the Edit Claim Rules section, add the settings so they look like this:

You can add additional attributes to the SAML Claims.

These can be mapped as the following in the Outgoing Claim Type column:

User.EmailNotifications
User.Email
User.FirstName
User.LastName
User.Company
User.Title
User.Address
User.Address2
User.State
User.Zip
User.Cell
User.Phone
User.WorkPhone
User.Ssn
User.DateOfBirth
User.UserIdentifier
User.Gender
User.Ca0
User.Ca1
User.Ca2
User.Ca3
User.Ca4
User.Ca5
User.Ca6
User.Ca7
User.Ca8
User.Ca9
User.Ca10

You can also fix attributes to a specific value. For example, to set User.EmailNotifications to true, you can Edit Claim Rules, click Add Rule, use Send Claims using a Custom Rule and set the rule like such:

Then we need to get the Windows Server idP XML manifest file. This can be found by visiting: https://[WINDOWS_SERVER]/federationmetadata/2007-06/federationmetadata.xml
From the server itself, you can usually just visit https://localhost/federationmetadata/2007-06/federationmetadata.xml
Open the file you just downloaded with a text editor such as Notepad or Notepad++. Highlight all the text and copy it to your clipboard (Ctrl-C)

Next, go to the SAML configuration page at https://[your_skyprep_domain]/admin/program/saml and paste the text copied above (Ctrl-V) the into the idP Metadata (XML) field.
Optionally, enable Automatically Create / Add Users (JIT) and Automatically Add Users to Existing Groups.

To test the integration, visit

https://[WINDOWS_SERVER]/adfs/ls/IdPInitiatedSignOn.aspx?loginToRp=https://[your_skyprep_domain]/saml/consume

Troubleshooting

If your setup was previously working and suddenly isn’t, please double check the idP XML manifest file and update it in the integration settings listed in your account.

For example, whenever you update the SSL certificate on your ADFS server, make sure to update the metadata XML on the LMS as well. This usually happens once a year or so.