This guide demonstrates how to configure Active Directory Federation Services (ADFS) as an Identity Provider for Single Sign-On with Teamgage.

Not using ADFS? See Single Sign-On - SAML Setup Guide for more general guidance.

Before You Begin

To simplify setup, please check the following:

1. Version: Check your version of ADFS and Windows Server.
   These instructions are tailored to ADFS 4.0, which is integrated with Windows Server 2016.
   If you are using a different version, please consider that some steps may differ slightly.
2. Environment: Determine which Teamgage server you are connecting to: UAT or Production
   To ensure a smooth transition, we recommend first configuring SSO on our UAT (User Acceptance Testing) server to ensure compatibility with your environment.
   This can also be used to prepare for your organisation's change management process.
3. LDAP Attribute: Verify which AD User property is used to store the relevant email address in Active Directory Users and Groups.
   Depending on your organisation's Active Directory and/or Exchange configuration, this could be:
   • E-Mail-Addresses
     
   • User-Principal-Name
     
   • or something else

Quick Info

Federation Metadata URL:

• For UAT: https://uat.teamgage.com/Saml2
• For Production: https://www.teamgage.com/Saml2

Claims Required:

• Name ID: email address, UPN, or object GUID if available
• Email Address: email address

Detailed Configuration Steps

1. Open Administrative Tools > AD FS Management Console.
   
2. Right-click on Relying Party Trusts > Add Relying Party Trust
   
3. Create a Claims Aware application
   
4. Import data about the relying party using the respective Federation metadata address
   
   • UAT: https://uat.teamgage.com/Saml2
   • Production: https://www.teamgage.com/Saml2
5. Enter an appropriate Display Name such as: Teamgage - UAT
6. Assign an Access Control Policy of Permit everyone.
   Per-user access control is managed within Teamgage based on your HR data, and does not need to be managed through SSO.
   
7. Complete the Wizard and Configure claims issuance policy
   Alternatively: Right-click the application and select Edit Claim Issuance Policy.
   
8. Add Rule
   
9. Send LDAP Attributes as Claims
   
10. Configure the Claim Rule
    
    1. Select the Attribute Store: Active Directory
    2. Add the following mappings of LDAP Attributes to Outgoing Claims:

       • E-Mail-Addresses (or correct attribute) -> Name ID

       • E-Mail-Addresses (or correct attribute) -> E-Mail Address

    3. Important: Ensure you select the correct LDAP Attribute for where your email address is stored.
       Depending on your environment, this might not be the "E-Mail-Addresses" field.
       See Before You Begin: 3. LDAP Attribute (above).

11. Finish and OK
    

12. To proceed with SSO activation, contact Teamgage Support with the following details:

    • The Federation Metadata URL for your ADFS server
      Eg: https://adfs-host.example.net/FederationMetadata/2007-06/FederationMetadata.xml

    • A list of all email domains used within your organisation (or the relevant test/production environment)

Troubleshooting

Below are solutions to some common problems. If you have further difficulty, please contact Teamgage Support.

Error when submitting the Federation Metadata URL

Problem: You receive the error "The underlying connection was closed: An unexpected error occurred on a send."

Solution: ADFS uses the .NET Framework, which might need to be configured to use strong TLS encryption on outbound requests.

For more information see Microsoft Support Article: Considerations for disabling and replacing TLS 1.0 in ADFS.