Steps taken to implement ADFS / SSO for PeopleHR (Implemented on Windows 2012 R2 Server, ADFS v3.0):
On the ADFS server, open the ADFS Management tool
Right click on Relying Party Trust and click ‘Add Relying Party Trust’
On the welcome screen, click 'Start'
Select the option for ‘Enter data about the relying party manually’ and click 'Next'
5. Enter a Display name and any notes you may want to add, then click 'Next'
6. Make sure ADFS profile is selected, then click 'Next'
7. Under the Configure Certificate section, add a certificate if required, otherwise just click 'Next' to continue
8. Under the section to Configure URL, tick the option to ‘Enable support for the SAML 2.0 WebSSO protocol'
9. For the Relying party SAML 2.0 SSO service URL, enter : https://<tenancyid>.peoplehr.net/Pages/Saml/Consume.aspx (Make sure you enter the correct tenancy id – should match the link you use to access your company specific PeopleHR portal)
10. Click 'Next' to configure the identifiers
11. For the Relying party trust identifier, enter test-app-peopleweb and click on the 'Add' button
12. Click 'Next'
13. Ensure ‘I do not want to configure multi-factor authentication settings for this relying party trust at this time’ and click 'Next'
14. Under Choose Issuance Authorisation Rules, ensure Permit all users to access this relying party is selected, and click 'Next'
15. Under ready to Add Trust, click 'Next' and then Finish to complete the initial setup.
16. Under Relying Party Trusts, right click on the PeopleHR Relying Trust that was just created, and click 'Edit Claim Rules'
17. Under the Issuance Transform Rules, click 'Add Rule'
18. For Claim rule template, select ‘Send claims Using a Custom Rule’ and click 'Next'
19. Enter a Claim Rule name, then paste the following into the field for Custom Rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified");
20. Click 'Ok' to finish adding the rule
21. This is the ADFS config finished, close the ADFS Management console
22. Download the metadata.xml file from the following link: https://sts.YOURSERVER.com/FederationMetadata/2007-06/FederationMetadata.xml
23. Log into the PeopleHR portal using an account that has Full Admin access
24. Navigate to 'Settings' > 'Company' and under Upload ‘Single Sign On’ SAML meta-data file, click on 'browse' and upload the metadata.xml file downloaded earlier
Single Sign On should now be working.
Customer Services Team