Single Sign-On - SAML Setup Guide for ADFS

Single Sign-On - SAML Setup Guide for ADFS

This guide demonstrates how to configure Active Directory Federation Services (ADFS) as an Identity Provider for Single Sign-On with Teamgage.


Not using ADFS? See Single Sign-On - SAML Setup Guide for more general guidance.


Before You Begin

To simplify setup, please check the following:

  1. Version: Check your version of ADFS and Windows Server.
    These instructions are tailored to ADFS 4.0, which is integrated with Windows Server 2016.
    If you are using a different version, please consider that some steps may differ slightly.
  2. Environment: Determine which Teamgage server you are connecting to: UAT or Production
    To ensure a smooth transition, we recommend first configuring SSO on our UAT (User Acceptance Testing) server to ensure compatibility with your environment.
    This can also be used to prepare for your organisation's change management process.
  3. LDAP Attribute: Verify which AD User property is used to store the relevant email address in Active Directory Users and Groups.
    Depending on your organisation's Active Directory and/or Exchange configuration, this could be:
    • E-Mail-Addresses
    • User-Principal-Name
    • or something else


Quick Info

Federation Metadata URL:

Claims Required:

  • Name ID: email address, UPN, or object GUID if available
  • Email Address: email address


Detailed Configuration Steps

  1. Open Administrative Tools > AD FS Management Console.
  2. Right-click on Relying Party Trusts > Add Relying Party Trust
  3. Create a Claims Aware application
  4. Import data about the relying party using the respective Federation metadata address
  5. Enter an appropriate Display Name such as: Teamgage - UAT
  6. Assign an Access Control Policy of Permit everyone.
    Per-user access control is managed within Teamgage based on your HR data, and does not need to be managed through SSO.
  7. Complete the Wizard and Configure claims issuance policy
    Alternatively: Right-click the application and select Edit Claim Issuance Policy.
  8. Add Rule
  9. Send LDAP Attributes as Claims
  10. Configure the Claim Rule
    1. Select the Attribute Store: Active Directory
    2. Add the following mappings of LDAP Attributes to Outgoing Claims:
      • E-Mail-Addresses (or correct attribute) -> Name ID

      • E-Mail-Addresses (or correct attribute) -> E-Mail Address

    3. Important: Ensure you select the correct LDAP Attribute for where your email address is stored.
      Depending on your environment, this might not be the "E-Mail-Addresses" field.
      See Before You Begin: 3. LDAP Attribute (above).

  11. Finish and OK

  12. To proceed with SSO activation, contact Teamgage Support with the following details:


Troubleshooting

Below are solutions to some common problems. If you have further difficulty, please contact Teamgage Support.

Error when submitting the Federation Metadata URL

Problem: You receive the error "The underlying connection was closed: An unexpected error occurred on a send."

Solution: ADFS uses the .NET Framework, which might need to be configured to use strong TLS encryption on outbound requests.

For more information see Microsoft Support Article: Considerations for disabling and replacing TLS 1.0 in ADFS.


    • Related Articles

    • Single Sign-On - SAML Setup Guide

      Using SAML authentication to provide a single sign-on experience for your organisation’s users can enhance your users’ experience in using Teamgage. Note that for users who only use Teamgage to submit their results and comments, we do not require ...
    • Microsoft Integration – SSO and Teams - Azure AD Setup Guide

      The Teamgage and Microsoft Teams integration allows your employees to access reports, leave feedback and collaborate without ever leaving Microsoft Teams. With Single Sign-On enabled, the app is seamlessly accessible, without any requirement to ...
    • Leader Quick Start Guide

      Information for a leader or manager to make a strong start in Teamgage Teamgage puts you and your team at the heart of the improvement process. It’s your process to own and shape with the team but we’ve a good idea of what works well. Ensure you ...
    • Email whitelisting - Technical Guide

      There are three steps which should be performed by your organisation's IT team to reliably receive Teamgage reminder/notification emails: IP Whitelisting on the inbound mail gateway Domain/Sender Whitelisting on the spam filtering appliance Safe ...
    • Can't access your dashboard?

      Information on the steps needed to gain access to your Teamgage dashboard Can’t access your dashboard? Follow the link in your welcome email from ‘mail@teamgage.com’ Tip: check your junk folder or you "other" (non-focused) inbox if you can’t locate ...