Setting up Single Sign On with ADFS

Single Sign-On is a convenient, yet secure way of authenticating a user. Most customers are already running an Identity Provider (IDP) that supports Single Sign-On through the SAML 2 protocol, e.g. Active Directory, OneLogin, or Okta.

In order to configure the Single Sign-On for Userlane, follow these steps below:

Setting up SSO with ADFS

Userlane can accept authentication via the SAML 2.0 Protocol. 

Of the many implementations of this protocol, Microsoft Active Directory Federation Services (ADFS) is one of the most widespread. In this scenario, an ADFS server acts as the Identity Provider (IDP) and Userlane as the Service Provider (SP).

1.1. Adding the Identity Provider (IDP) details to Userlane

To register your IDP with Userlane, the IT Admin needs to provide the following info about the company IDP to the SA:

  • Entry point/target URL that users will be redirected to for authentication

  • X509 Certificate/Signatures so that Userlane can securely validate authentication claims

This information is often contained in a Metadata XML file.  

Then, sign in to Userlane Portal > Settings > Single Sign-on and add the required information. 

various boxes to configure IDP

1.2. Adding Userlane as a Service Provider (SP) to your IDP

For the company’s IDP to accept authentication requests by Userlane, the IT Admin must first register Userlane as a Service Provider (SP).

ℹ️ The Userlane Service Provider Metadata differs for each customer. Your Userlane SA will provide you with a .xml file to import into your ADFS Server.
Registration steps:

1. Download the Metadata file onto your ADFS Server

2. Open the “AD FS Management” app
logo and button for AD FS Management

3. In the menu on the right, select “Add  Relying Party Trust”

add relying party trust action

4. Select “Claims aware”

welcome page of add relying party trust

5. Select the Metadata file you’ve downloaded or follow the instructions for manual setup below

import data about the relying party from file chosen

6. Specify any display name or description you like

add display name userlane

7. It is essential to configure which employees are targeted for Userlane.
In general, any employee who has access to the connected application that uses Userlane for enablement purposes should also have access to the Userlane app. However, we recommend that App Owner confirms the target group after consulting with SA to avoid any misunderstanding.

Note: Do not configure MFA (Multi-factor Authentication) as a requirement in order to make the sign-in easier and seamless for your users.

adding relying party option

8. Confirm in order to add the Trust and continue with configuring a claims issuance policy for your application

8.1. Select “Add Rule”

edit window to claim issuance policy for userlane

8.2. Userlane requires a “nameID” (please keep the exact letter-case form) in the Outgoing Claim Type. This will be the unique identifier on Userlane level and it is the only mandatory attribute required. This ID must be unique for each user and is not meant to be changed over time in order to keep historical information clean.

wizard view to claim rule

Additional user information required by App Owner for improved targeting is explained in the article Expanding the Settings

Save and apply the Claim Rule

Make sure to choose how often you want to repeat the SSO for already authenticated users. This assures that user attributes are kept up to date. For doing this: sign in to Userlane Portal > Settings > Browser Extension then in the dropdown SSO Refresh Interval choose one of the available options. Keep in mind that the shorter the interval, the higher the load on your IDP will be.

dropdown to set refresh interval for daily

Test the single sign-on implementation

To test the integration after the setup has been completed, open the following URL in a browser: or you can do it within the Portal:

Then, sign in to Userlane Portal > Settings > Single Sign-on and click the Test SSO button. 

button to test SSO configuration

The user will be redirected to the IDP. 

After successful authentication, the user will be redirected back to Userlane and the Browser Extension will be authenticated.

Users with given permission will be authenticated and end up on the overview page:

extension is installed view for Userlane

User Icon

Thank you! Your comment has been submitted for approval.