This guide outlines how to configure SSO in your organization for use with either Azure AD SSO or Windows Server ADFS.
1 Azure AD SSO
1.1 On-Premise Instance
To configure your on-premise Syngrafii instance to support Azure AD SSO you will have to register an App under your Azure AD (see Configuring Azure AD) and provide Syngrafii with the following details in a secure manner:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
If you are managing your own server, please contact support@syngrafii.com for additional details.
1.2 Configuring Azure AD
Note:
When you see yourinstance.syngrafii.com URL referenced make sure you replace it with your Syngrafii instance URL.
- Login to Azure Portal
- Open appropriate Azure Active Directory
- Click App registrations
- Click New registration
- Under Name, enter Your Company | Syngrafii
- Under Supported account types, select Accounts in this organizational directory only (Single tenant)
- Under Redirect URI, select Web and enter https://yourinstance.syngrafii.com/sign-ad
- Click Register
- Click Authentication
a. Under Logout URL, enter https://yourinstance.syngrafii.com/signout
b. Under Implicit grant, enable ID tokens
c. Click Save - Click Certificates & secrets
a. Click New client secret
b. Under Description, enter Syngrafii 2020
c. Under Expires, select preferred option
d. Click Add - Click Token configuration
a. Click Add optional claim
b. Under Token type, select ID
c. Under Claim, select email, family_name, given_name
d. Click Add - (Optional) Click Branding
a. Under Home page URL, enter https://yourinstance.syngrafii.com
b. Under Terms of service URL, enter https://yourinstance.syngrafii.com/terms
c. Under Privacy statement URL, enter https://yourinstance.syngrafii.com/privacy
d. Click Save
e. Under Publisher domain, select Update domain,
f. Select Verify a new domain
g. (Optional) Under Publisher domain, enter yourinstance.syngrafii.com
i. Click Download
1. For Syngrafii hosted private instances send the file to Syngrafii and request that it be uploaded
2. For on-premise instances upload the file to the specified location
ii. After the file has been uploaded, click Verify and save domain
2 Windows Server AD FS
2.1 On-Premise Instance
To configure your on-premise Syngrafii instance to support Windows Server AD FD SSO you will have to configure a trusted WS-Federation relying party within Windows Server AD FS (see Configuring Windows Server AD FS) and provide Syngrafii with the following details:
- WS-Federation metadata endpoint
If you are managing your own server, please contact support@syngrafii.com for additional details.
2.2 Configuring Windows Server AD FS
Note:
When you see yourinstance.syngrafii.com domain referenced make sure you replace it with your Syngrafii instance domain.
- Start Administrative Tools > AD FS Management
- Click Add Relying Party Trust…
- Select Claims aware
- Click Start
- Select Enter data about the relying party manually
- Click Next
- Under Display Name field, enter Syngrafii
- Click Next
- Skip Configure Certificate by clicking Next
- Select Enable support for the WS-Federation Passive Protocol
- Under Relying party WS-Federation Passive protocol URL, enter https://yourinstance.syngrafii.com/sign-ws
- Click Next
- Configure Access Control Policy and click Next
- Review configuration and click Next
- Select Configure claims issuance policy for this application and click Close
- Click Edit Claim Issuance Policy…
- Click Add Rule…
- Select Send LDAP Attributes as Claims and click Next
- Under Claim rule name field, enter Active Directory
- Under Attribute store, select Active Directory
- Add the following mappings:
LDAP Attribute | Outgoing Claim Type |
E-Mail-Addresses | E-Mail Address |
Display-Name | Name |
Given-Name | Given Name |
Surname | Surname |
User-Principal-Name | Name ID |
22. Click Finish
23. Click OK