Configuring SSO for Stax Cost & Compliance - AD FS

Learn how to integrate your company's Active Directory Federation Services implementation for federated login access into Stax's Cost & Compliance module.

Article Tags
On This Page
Before You BeginPrepare the SAML URIs and Obtain the CertificateConfigure AD FSConfigure Stax Cost & Compliance Module to Allow AD FS Sign-InHow Do You Know This Worked?See also

Stax's Cost & Compliance module integrates with your corporate identity provider using SAML. This allows you to bring your own identities and identity management controls to the Stax Cost & Compliance module. AD FS is a self-hosted identity platform that works well with Stax.

This guidance assumes you're subscribed to only the Stax Cost & Compliance module. If your AWS accounts are Stax-managed, review this article instead.

Before You Begin

  • Estimated time to complete: 1 hour
  • You need permissions to administer the AD FS environment
  • You must decide whether you wish for all users at your email domain (_@example.com_) to use SSO, or whether users should be required to access the trigger URL to invoke SSO

Prepare the SAML URIs and Obtain the Certificate

First, you'll need to determine some URIs. Thes must be generated by the Stax Support team for you. Please raise a support case to have the URIs generated. Let us know you're intending to use AD FS. You'll be provided with two URIs:

  1. A Relying Party Trust identifier
  2. A callback URL

Additionally, you'll need Stax's SAML request signing certificate. You can download it here.

Configure AD FS

  1. Open AD FS Management

  2. In the action pane, click Add Relying Party Trust

  3. Choose Claims aware then Start

  4. Choose Enter data about the relying party manually and then next

  5. Choose an appropriate name (e.g. Stax Cost & Compliance) then next

  6. There's no need to choose an encrypting certificate, so simply choose next

  7. Place a check in the Enable support for SAML 2.0 WebSSO Protocol checkbox, then add the callback URL you were provided by Stax Support. Choose next

  8. Enter the Relying Party Trust identifier provided to you by Stax Support, choose add, then next

  9. Choose the appropriate access mechanism for the application (Permit everyone, Permit specific group, or otherwise), then next

  10. Choose next then ensure that Configure claims issuance policy is checked before choosing close

  11. In the action pane, choose Edit Claim Issuance Policy then Add Rule

  12. Ensure Send LDAP Attributes as Claims is selected and choose next

  13. Give the policy a name, select the appropriate store (probably Active Directory) and set up a mapping like so:

    • Map LDAP E-Mail-Addresses to outgoing E-Mail Address
    • Map LDAP Display-Name to outgoing Name
    • Map LDAP User-Principal-Name to outgoing Name ID
    • Map LDAP Given-Name to outgoing Given Name
    • Map LDAP Surname to outgoing Surname
  14. Click Finish, Apply, then OK

  15. Select your Relying Party Trust, and click Properties in the action pane

  16. Choose the Signature tab

  17. Click Add, and choose the Stax request signing certificate you downloaded earlier

  18. Choose Add, and then Apply

Configure Stax Cost & Compliance Module to Allow AD FS Sign-In

Provide Stax Support with your federation metadata URL. You should also let us know if you'd like for SSO to be enabled for your entire email domain (e.g. anyone with an email address ending in _@example.com_), or whether users should be required to access the trigger URL to invoke SSO.

How Do You Know This Worked?

Next time you navigate to the trigger URL or provide your email address at the Stax Cost & Compliance module login page (in the case of email domain-wide enablement), you'll be redirected to AD FS to prove your identity.

See also