You need to get valid public key from ADFS (.cer file) to sing SAML requests coming from Yellowfin. This (in a text form) goes to onelogin.saml.properties:
onelogin.saml2.idp.x509cert =MIIC2DCCAcCgAwIBAgIQfdRAAWmWko1IsimA004o3TANBgkqhki…
Download signing certificate from AD FS:
To register Yellowfin SAML bridge service provider, use samlbridge/metadata.jsp. You need to provide it in the form of a URL, for instance: http://yellowfin:8080/samlebridge/metadata.jsp. Ensure that you can access the URL from AD FS server. It pulls the details coming from samlbridge/WEB-INF/classes/onelogin.saml.properties.
Note. Each time when you modify onelogin.saml.properties, you need to update the Yellowfin Relying Party Trust metadata in AD FS.
More details about registering service provider in AD FS can be found via https://technet.microsoft.com/en-us/library/adfs2-help-how-to-add-a-relying-party-trust(v=ws.10).aspx
On the ‘Select Data Source’ page, provide a displayed name for the service provide:
This is going to be an application name visible for a user as well as part of SSO URL in onelogin.saml.properties file:
onelogin.saml2.idp.single_sign_on_service.url = https://adfs.local/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=Yellowfin
On the next page, select ‘I do not want to configure multi-factor authentication settings for this relying party trust at this time’. Configuring multi-factor authentication is beyond this scope. Click ‘Next’.
Select the ‘Permit all users to access this relying party’ radio button. Click ‘Next’ to the end.
Once you have registered Yellowfin SAML Bridge in AD FS, you’ll be offered to set claim rules. See below for more information on those.
Note: SAML requires Name ID as part of the AD FS response, ensure that you pass it correctly in a proper format.
For instance, you define name id in onelogin.saml.properties like below:
onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
That means you need to pass email address as a name id from AD FS. Your claim rules should look like below.
Request AD attributes
Transform email address into name ID
AD FS 2.0 provides the IdpInitiatedSignOn.aspx page to handle SAML-based IdP-initiated single sign-on (SSO). This functionality enables a user to sign on locally to the AD FS 2.0 server using the SAML protocol or to sign on to Web SSO-compatible relying party (RP) applications like Yellowfin.
This is in the URL form and goes to onelogin.saml.properties:
onelogin.saml2.idp.entityid = https://<ADFS domain name>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=<RP> onelogin.saml2.idp.single_sign_on_service.url = https://<ADFS domain name>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=<RP> |
Where, <RP> is the displayed name which you defined during registering Yellowfin SAML Bridge service provider in AD FS.
More information about IdpInitiatedSignOn.aspx can be found here: https://msdn.microsoft.com/en-au/library/ee895361.aspx