SSO/SAML

How Do I Configure SSO/SAML for KCM GRC with Active Directory Federation Services (AD FS)?

This article provides instructions for setting up Active Directory Federation Services (AD FS) on Server 2012 R2 (AD FS 3.0) to connect with your KCM GRC platform via SAML. After you've completed this configuration, your users will be able to quickly and easily sign in to their accounts. 

You must be an account administrator to set up SSO for your KCM GRC platform. As a safeguard, account administrators will retain the ability to log in to KCM GRC with their password.

Important: After you configure SAML for your KCM GRC account, users must log in with your organization's internal authentication system. For new accounts, users will still be required to activate their account. To learn more about activating new accounts, see our How to Activate and Access Your KCM GRC Account with SSO/SAML article.
Note: Because they are external user roles, Auditor and Vendor users cannot log in to KCM GRC by using single sign-on. As an alternative option for authentication security, you can make multi-factor authentication mandatory for these accounts. For more information, see our How to Enable and Configure Multi-Factor Authentication article.

Follow the sections in this article to configure your SAML connection.

Add SAML Metadata to KCM GRC

First, gather your SAML metadata from your AD FS management console and add it to your KCM GRC account.

  1. From your AD FS management console, expand the Service folder. Then, select the Endpoints folder, as shown below.
  2. Under the URL Path column, copy the Federation Metadata URL. This URL path makes up only a portion of the full metadata XML file path that you will add to your KCM account's Account Settings area. The full path to the metadata XML will look similar to this:https://ADFSserver.example_domain.com/FederationMetadata/2007-06/FederationMetadata.xml where ADFSserver.example_domain.com is the fully qualified domain name (FQDN) of your AD FS server and /FederationMetadata/2007-06/FederationMetadata.xml is the URL path that you copied from the Endpoints folder in your AD FS management console.
  3. In your KCM GRC account, click Settings > Account Settings. Then, click the SSO Settings tab.
  4. Under the SSO Provider Config area, paste the full XML file path into the Remote Metadata XML field and click the Import button, as shown below.
  5. Click the SSO Enabled toggle.
  6. From the SSO Provider drop-down menu, select Active Directory Federation Services (ADFS).
  7. Scroll to the bottom of the page and click Save.

Next, you'll need to add KCM GRC to your AD FS management console. See the following sections for details.

Configure Relying Party Trust in AD FS

Now, you can add KCM GRC to your AD FS management console. Follow the steps below.

Tip: Remain logged in to your KCM GRC account. You will need information from the SSO Settings tab under Account Settings (Settings > Account Settings > SSO Settings) to complete the following steps.
  1. In your AD FS management console, expand the Trust Relationships folder. Then, right-click Relying Party Trust and select Add Relying Party Trust..., as shown below.
  2. On the Welcome screen of the Add Relying Party Trust Wizard, click Start.
  3. On the Select Data Source screen, select Import data about the relying party published online or on a local network.
    1. For this step, you'll need to copy the Entity ID URL from your KCM GRC SSO Settings tab under the Account Settings area.
      • Then, in your AD FS management console, paste the Entity ID URL into the Federation metadata address (host name or URL) field.
    2. Click Next.
  4. On the Specify Display Name screen, in the Display Name field, enter a display name such as "KCM GRC Platform". Then, click Next.
  5. On the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party. Then, click Next.
  6. On the Ready to Add Trust screen, click Next.
  7. On the Finish screen, make sure the Open the Edit Claim Rules... checkbox is selected and click Close.

Now, see the next section to learn how to add two transform claim rules to your AD FS management console.

Add Transform Claim Rules to AD FS

Follow the steps below to add two transform claim rules to your AD FS management console.

  1. On the Edit Claim Rules for [Display Name] screen, click the Add Rule... button.
  2. On the Select Rule Template screen, from the Claim rule template drop-down menu, select Send LDAP Attributes as Claims. Then, click Next.
  3. On the Configure Rule screen, in the Claim rule name field, add a name such as "Email". Then, make the selections that are outlined below.
    1. From the Attribute store drop-down menu, select Active Directory.
    2. From the Mapping of LDAP attributes to outgoing claim types area, select E-Mail-Addresses from the LDAP Attribute drop-down menu.
    3. From the Mapping of LDAP attributes to outgoing claim types area, select E-Mail Addresses from the Outgoing Claim Type drop-down menu.
    4. Click the Finish button.
  4. When you're back on the Edit Claim Rules for [Display Name] window, click the Add Rule... button to create your second rule.
  5. On the Select Rule Template screen, from the Claim rule template drop-down menu, select Transform an Incoming Claim. Then, click Next.
  6. On the Configure Rule screen, in the Claim rule name field, add a name such as "Transform". Then, make the selections that are outlined below.
    1. From the Incoming claim type drop-down menu, select E-Mail Address.
    2. From the Outgoing claim type drop-down menu, select Name ID.
    3. From the Outgoing name ID format drop-down menu, select Email.
    4. Select Pass through all claim values.
    5. Click the Finish button.
  7. Click OK to exit the Edit Claim Rules for [Display Name] window.

Now that you've completed your SAML configuration, you'll want to test it to ensure it's working properly. See the Test SSO Integration of our How to Set up SAML/SSO for KCM GRC article for more information.

Can't find what you're looking for?

Contact Support