Enabling single sign-on via ADFS

Requires

  • Admin in Exchange
  • ADFS 2.0+

Supported Plans

  • Basic
  • Pro
  • Premium
  • Enterprise

Robin supports ADFS single sign on via SAML 2.0, which is available on ADFS version 2.0 and above. For general questions about SAML support, you may find this guide helpful. Keep in mind that SAML authentication is available for organizations on Enterprise plans.

Adding your ADFS identity provider to Robin

As an administrator, go to Settings > Integrations and scroll down to the Authentication methods to find an option for SAML SSO.

Authentication options for Robin

Click "Add" to bring up configuration options.

SAML Config Options

We will set up ADFS as a "Custom" type. Based on defaults for ADFS installs, the configuration options in Robin should be:

  • SAML SSO URL: https://yourdomain.com/adfs/ls
  • Identity Provider Issuer: https://yourdomain.com/adfs/services/trust

You can confirm your server's Federation Service Properties by right clicking the "Services" folder on ADFS, then "Edit Federation Service Properties". If you do not see this option, make sure you're on ADFS version 2.0 or higher, as ADFS 1.0 does not support SAML 2.0.

This guide will walk you through how to get the certificate from ADFS a bit later, for now you will need to expand Advanced Options and update two fields:

  • Uncheck Encrypt Assertion
  • Make sure to check "Windows" under Auth Context. You may leave "Password Protected Transport" enabled as well.

The end result should look something like this:

ADFS SAML Configuration

You can complete this rest of this set up via Powershell or manually through your ADFS management console.

Option 1: Powershell

You'll need to download this first RelyingPartyTrustClaimRules.xml

Add-ADFSRelyingPartyTrust -Name "Robin Powered" -Identifier "https://robinpowered.com"
Import-Clixml "FULL PATH TO DOWNLOADED TRUST CLAIMS XML" | foreach-object {$samlEndpoints = foreach ($endpoint in $_.SamlEndpoints){New-ADFSSamlEndpoint -Protocol $endpoint.Protocol -Uri $endpoint.Location -Binding $endpoint.Binding -IsDefault $endpoint.IsDefault -Index $endpoint.Index -ResponseUri $endpoint.ResponseLocation}; Set-ADFSRelyingPartyTrust -TargetName "Robin Powered" -IssuanceTransformRules $_.IssuanceTransformRules -SamlEndpoint $samlEndpoints -SignatureAlgorithm $_.SignatureAlgorithm} 

Option 2: Manual Configuration

We'll use the AD FS management console to first add a new Relying Party Trust for Robin, then update the claims to include user attributes required for successfully SAML authentication.

Adding Robin as a Relying Party Trust

From the AD FS management console's Actions panel, select Add Relying Party Trust to open the set up wizard.

Add a trust party wizard

Select Enter data about the relying party manually.

Add a display name you'll recognize, like "Robin" or "Robin Powered", then click Next.

Display name for relying trust party

Select AD FS Profile, and then skip the next step. We will not need token encryption for this set up.

Select Enable support for the SAML 2.0 WebSSO protocol and enter: https://dashboard.robinpowered.com/sso/saml/custom as the relying party URL.

Add your SSO URL for Robin

Enter https://robinpowered.com as the Entity ID.

Robin Entity ID

Select Permit all users to access this relying party.

Once you've confirmed the settings are correct, you can save and close the wizard. With the trust for Robin created in AD, we'll need to update claims before connecting via SAML.

Adding Claims

Right click the trust created in the last section, and select Properties.

Under the Advanced tab, confirm the signature algorithm is set to SHA-256. Close the window when you're done.

SHA 265 for SAML

Right click the trust created for Robin again, and select Edit Claims.

In the new window, open the Issuance Transform Rules tab and click Add Rule > Send LDAP Attributes as Claims

Enter a Claim rule name you'll recognize (e.g. "Robin SAML Attributes") and set Attribute store to Active Directory. Map the LDAP attributes to the Outgoing Claim Types listed below. Remember these are case-sensitive:

  • Given-Name (LDAP) > "FirstName" (Outgoing Claim Type)
  • Surname > "LastName"
  • E-Mail-Addresses > "Email"

AD FS Claim to SAML Attribute mapping

Confirm the claims are set up properly by clicking "View Rule Language", where you should see something like this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("FirstName", "LastName", "Email"), query = ";givenName,sn,mail;{0}", param = c.Value);

Click "OK" to close the current window, then Add Rule > Transform an Incoming Claim.

Name this rule something like "Robin Name ID Transform" for easy reference, then update the following fields:

  • Incoming claim type: E-Mail Address
  • Outgoing claim type: Name ID
  • Outgoing Name ID format: Email
  • Enable Pass through all claim values

Map Name ID to email

View Rule Language should now look like this:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Click "OK" to close the current window, then Add Rule > Send Claims Using a Custom Rule

Enter a Claim rule name you'll recognize (e.g. "Robin Email Transform") and then paste the below in as a custom rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

Copy the Certificate

Via the AD FS management console, go to Service > Certificates, right click and select View Certificate.

View certificate in ADFS

Under the Details tab, select Copy to File to begin the export wizard.

Select Base-64 encoded X.509 (.CER), then choose a location to save your certificate. Skip through the rest of the wizard's defaults by clicking Next or OK until complete.

Copy the contents of the certificate file you just created, and paste it into the SAML configuration within Robin. Save you configuration, and SAML should now be enabled for your account.

References

Did this article help?