Using AD FS to Configure SSO for KCM GRC

This article provides instructions for setting up Active Directory Federation Services (AD FS) on Server 2012 R2 (AD FS 3.0) to connect with your KCM GRC platform via SAML. After you've completed this configuration, your users will be able to quickly and easily sign in to their accounts. 

You must be an account administrator to set up SSO for your KCM GRC platform. As a safeguard, account administrators will retain the ability to log in to KCM GRC with their password.

Follow the sections in this article to configure your SAML connection.

Jump to: 

Add SAML Metadata to KCM GRC

Configure Relying Party Trust in AD FS

• Add Transform Claim Rules in AD FS

Add SAML Metadata to KCM GRC

First, you will need to gather your SAML metadata from your AD FS management console and add it to your KCM GRC account. Follow the steps below.

1. From your AD FS management console, expand the Service folder. Then, select the Endpoints folder, as shown below.
   
2. Under the URL Path column, copy the Federation Metadata URL.
   This URL path makes up only a portion of the full metadata XML file path that you will add to your KCM account's Account Settings area.
   • The full path to the metadata XML will look similar to this:
     https://ADFSserver.example_domain.com/FederationMetadata/2007-06/FederationMetadata.xml
     • Where ADFSserver.example_domain.com is the fully qualified domain name (FQDN) of your AD FS server.
     • And /FederationMetadata/2007-06/FederationMetadata.xml is the URL path that you copied from the Endpoints folder in your AD FS management console.
3. In your KCM GRC account, click Settings > Account Settings. Then, click the SSO Settings tab.
   
4. Under the SSO Provider Config area, paste the full XML file path (explained in Step 2, above) into the Remote Metadata XML field and click the Import button, as shown below.
   
5. Click the SSO Enabled toggle.
6. From the SSO Provider drop-down menu, select Active Directory Federation Services (ADFS).
7. Scroll to the bottom of the page and click Save.

Next, you'll need to add KCM GRC to your AD FS management console. See the following sections for details.

Back to top

Configure Relying Party Trust in AD FS

Now, you can add KCM GRC to your AD FS management console. Follow the steps below.

8. In your AD FS management console, expand the Trust Relationships folder. Then, right-click Relying Party Trust and select Add Relying Party Trust..., as shown below.
   
9. On the Welcome screen of the Add Relying Party Trust Wizard, click Start.
   
10. On the Select Data Source screen, select Import data about the relying party published online or on a local network.
    
    
    1. For this step, you'll need to copy the Entity ID URL from your KCM GRC SSO Settings tab under the Account Settings area (click to view example).
       • Then, in your AD FS management console, paste the Entity ID URL into the Federation metadata address (host name or URL) field.
         
         ×

         SSO Information

         

         Close
    2. Click Next.
11. On the Specify Display Name screen, in the Display Name field, enter a display name such as "KCM GRC Platform". Then, click Next.
    
12. On the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party. Then, click Next.
    
13. On the Ready to Add Trust screen, click Next.
    
14. On the Finish screen, make sure the Open the Edit Claim Rules... checkbox is selected and click Close.
    

Now, see the next section to learn how to add two transform claim rules to your AD FS management console.

Back to top

Add Transform Claim Rules to AD FS

Follow the steps below to add two transform claim rules to your AD FS management console.

15. On the Edit Claim Rules for [Display Name] screen, click the Add Rule... button.
    
16. On the Select Rule Template screen, from the Claim rule template drop-down menu, select Send LDAP Attributes as Claims. Then, click Next.
    
17. On the Configure Rule screen, in the Claim rule name field, add a name such as "Email". Then, make the selections that are outlined below.
    
    1. From the Attribute store drop-down menu, select Active Directory.
    2. From the Mapping of LDAP attributes to outgoing claim types area, select E-Mail-Addresses from the LDAP Attribute drop-down menu.
    3. From the Mapping of LDAP attributes to outgoing claim types area, select E-Mail Addresses from the Outgoing Claim Type drop-down menu.
    4. Click the Finish button.
18. When you're back on the Edit Claim Rules for [Display Name] window, click the Add Rule... button to create your second rule.
    
19. On the Select Rule Template screen, from the Claim rule template drop-down menu, select Transform an Incoming Claim. Then, click Next.
    
20. On the Configure Rule screen, in the Claim rule name field, add a name such as "Transform". Then, make the selections that are outlined below.
    
    1. From the Incoming claim type drop-down menu, select E-Mail Address.
    2. From the Outgoing claim type drop-down menu, select Name ID.
    3. From the Outgoing name ID format drop-down menu, select Email.
    4. Select Pass through all claim values.
    5. Click the Finish button.
21. Click OK to exit the Edit Claim Rules for [Display Name] window.
    

Now that you've completed your SAML configuration, you'll want to test it to ensure it's working properly. See the Test SSO Integration of our How to Set up SAML/SSO for KCM GRC article for more information.

Back to top