Skip to main content
Skip table of contents

ADFS

ADFS connection with SAML 2.0

To get to the ADFS connection screen, it is necessary to go to the GlobalSUITE Administration section, specifically in the “Connections” option (as shown in the image). This option is accessed by Platinum, Gold, Consulting, Consulting Administrator, Platform Administrator, Enterprise Administrator and Configuration Administrator users.

This screen has several columns that are described below:

  • Name: Contains the name of the connection, which is used to identify it.

  • Type: Contains the type of connection, in this case it will be ADFS.

  • Host: In this case it will be empty.

  • User: It is not necessary therefore it appears empty.

  • Enabled: Indicates whether a connection is enabled or not.

The ADFS connection form consists of different fields, which are described below.

First, there is the "General Data" section:

  • Enabled: Indicates that ADFS connection is enabled. You cannot have two ADFS connections at the same time.

  • Type: Indicates the type of the connection (in this case, ADFS).

  • Name *: It is a required field, and indicates the name of that connection to be used in other options of the tool.

  • Trusted identifier: It is generated automatically. Indicates the chain of trust established between the ADFS server and GlobalSUITE, it must be unique.

  • SSO URL: When you want to configure a connection using the SP initiated SSO method, you must enter the url of the IdP service where authentication is performed via ADFS.

  • Logout URL: Address to which you are redirected when a user with ADFS authentication closes your session. If left empty, you will be redirected to the GlobalSUITE® login view.

  • Enable encryption: ADFS connection configuration that allows the parameters received from the IdP to be encrypted.

  • Sign authentication request: Indicates that, using the SP initiated SSO configuration, the authentication request made to the IdP will be signed.

Second, there is the "Roles" section:

  • Role: It allows to select what type of role by default the users created with the first access will have.

  • Sub-Role: In addition to the general role, a specific Company Role can be specified, within which they are configured.

  • Create employee: If this field is checked, when a user is created with the first access, the associated employee will also be created, with the same data.

In principle, the roles can be obtained directly from the ADFS server, in case of not receiving data about the role or that the data received is wrong, the roles configured in this section will be used.

Third, there is the "IDP Certificate" section. In this section you must upload a file, with extension crt, that contains the certificate. This certificate must be the same one used to sign calls from the ADFS server for the trust relationship configured.

ADFS Server Configuration with SAML 2.0

The SAML 2.0 connection service url that must be entered in the server configuration is:

https: //Domain_Name/Core/Adfs/trust.php

Where Domain_Name is the url of access to GlobalSUITE.

In the ADFS server configuration, it must be indicated that the data to be passed in the request are at least:

  • Id. Name (nameidentifier)

  • Email address (emailaddress)

If you want to send the role configuration to create the new ADFS users, you must use the claim:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

IMPORTANT: The name of the role that is sent from the ADFS server must match any of the roles configured in GlobalSUITE.

For more information about the ADFS server configuration you can access:

https://docs.microsoft.com/es-es/windows-server/identity/ad-fs/operations/create-a-relying-party-trust

ADFS Authentication with SAML 2.0

There are two types of authentication with ADFS:

  • IDP initiated SSO, the authentication process is initiated by the idp, the user has a list of “corporate applications”, selects the corresponding one from GlobalSUITE and starts the authentication. Below is a typical image of this application form.

  • SP initiated SSO, the authentication process is initiated by GlobalSUITE, to use this method you must access with a specific url. This url is formed by concatenating the GlobalSUITE url with the text:? Issuer = trust identifier, where the trust identifier is the code generated in the connection and can be found in the field with the same name, see section 1 of this document .
    An example of url is:
    https://sg.globalsuite.es/Core/index.php?issuer=a443c212c23af8ea8a107af75345

Authentication with ADFS has the following characteristics:

  • If the user is accessing the tool for the first time, through ADFS, a user will be created automatically with the username provided in the SAML request, and the rest of the mapped attributes.

  • If the username already exists in GlobalSUITE® and is not the same as the one created on the first connection, an error message would be thrown.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.