Configuring SSO for Stax Cost & Compliance - AD FS
Learn how to integrate your company's Active Directory Federation Services implementation for federated login access into Stax's Cost & Compliance module.
Stax's Cost & Compliance module integrates with your corporate identity provider using SAML. This allows you to bring your own identities and identity management controls to the Stax Cost & Compliance module. AD FS is a self-hosted identity platform that works well with Stax.
Before You Begin
- Estimated time to complete: 1 hour
- You need permissions to administer the AD FS environment
- You must decide whether you wish for all users at your email domain (email@example.com_) to use SSO, or whether users should be required to access the trigger URL to invoke SSO
Prepare the SAML URIs and Obtain the Certificate
First, you'll need to determine some URIs. Thes must be generated by the Stax Support team for you. Please raise a support case to have the URIs generated. Let us know you're intending to use AD FS. You'll be provided with two URIs:
- A Relying Party Trust identifier
- A callback URL
Additionally, you'll need Stax's SAML request signing certificate. You can download it here.
Configure AD FS
Open AD FS Management
In the action pane, click Add Relying Party Trust
Choose Claims aware then Start
Choose Enter data about the relying party manually and then next
Choose an appropriate name (e.g. Stax Cost & Compliance) then next
There's no need to choose an encrypting certificate, so simply choose next
Place a check in the Enable support for SAML 2.0 WebSSO Protocol checkbox, then add the callback URL you were provided by Stax Support. Choose next
Enter the Relying Party Trust identifier provided to you by Stax Support, choose add, then next
Choose the appropriate access mechanism for the application (Permit everyone, Permit specific group, or otherwise), then next
Choose next then ensure that Configure claims issuance policy is checked before choosing close
In the action pane, choose Edit Claim Issuance Policy then Add Rule
Ensure Send LDAP Attributes as Claims is selected and choose next
Give the policy a name, select the appropriate store (probably Active Directory) and set up a mapping like so:
- Map LDAP E-Mail-Addresses to outgoing E-Mail Address
- Map LDAP Display-Name to outgoing Name
- Map LDAP User-Principal-Name to outgoing Name ID
- Map LDAP Given-Name to outgoing Given Name
- Map LDAP Surname to outgoing Surname
Click Finish, Apply, then OK
Select your Relying Party Trust, and click Properties in the action pane
Choose the Signature tab
Click Add, and choose the Stax request signing certificate you downloaded earlier
Choose Add, and then Apply
Configure Stax Cost & Compliance Module to Allow AD FS Sign-In
Provide Stax Support with your federation metadata URL. You should also let us know if you'd like for SSO to be enabled for your entire email domain (e.g. anyone with an email address ending in firstname.lastname@example.org_), or whether users should be required to access the trigger URL to invoke SSO.
How Do You Know This Worked?
Next time you navigate to the trigger URL or provide your email address at the Stax Cost & Compliance module login page (in the case of email domain-wide enablement), you'll be redirected to AD FS to prove your identity.