SAP Knowledge Base Article - Public

2327251 - How do I configure SSO in Roambi with Active Directory Federation Services (ADFS)?

Symptom

  • How do I configure SSO with Active Directory Federation Services (ADFS)?

Environment

  • Roambi Business
  • SSO/SAML
  • ADFS 2.0

Cause

  • To use the Roambi Business Single Sign-on (SSO) feature with Windows Active Directory Federation Services (ADFS), you will need to configure ADFS and Roambi Business together. You will need to have Administrator rights for your organization to perform these configuration steps.

Resolution

To configure SAML for Roambi Business with ADFS:

  1. Edit your web.config file in the /adfs/ls directory to disable Basic Authentication:

    <localAuthenticationTypes>
        <add name="Forms" page="FormsSignIn.aspx" />
        <add name="Integrated" page="auth/integrated/" /> 
        <add name="TlsClient" page="auth/sslclient/" /> 
        <!-- <add name="Basic" page="auth/basic/" /> --> 
    </localAuthenticationTypes>
  2. Log in to Roambi Business using your Administrator credentials, and go to the Administration panel.
  3. Enable SSO, if you have not already done so:
    1. Click the Single Sign-On tab.
    2. On the Single Sign-On screen, toggle the Enable Single Sign-On with SAML switch to ON, which will display additional SSO-related fields.
      ConfigureSSO.png


    3. In the Metadata field, click the Download File button to download the metadata for your organization.
  4. On your computer, start the AD FS 2.0 Management application.
    1. From the Action menu, select Add Relying Party Trust... to start the wizard.
    2. From options on the right part of the Add Relying Party Trust wizard, choose the Import data about the relying party from a file option:
      AddRelyingPartyTrust1.png
    3. Select the metadata file that you previously saved from Roambi Business and click Next.
    4. On the next screen, you will be prompted to enter a Display Name and Notes. Enter the appropriate information and click Next to go to the Choose Issuance Authorization Rules screen.
    5. On the Choose Issuance Authorization Rules screen, choose the Permit all users to access this relying party option.
    6. Click Next and follow the remaining prompts in the Wizard. The wizard will complete the creation of the relying party.
  5. Once the new relying party has been created, select the new party and click Edit Claim Rules...
    1. Click the Add Rule button to start the Add Rule wizard.
    2. From the Claim rule template menu, select Send LDAP Attributes as Claims:
      ClaimRule.png
    3. On the Edit Rule - email screen, set LDAP Attribute to E-Mail-Addresses and Outgoing Claim Type to E-Mail Address, and click OK.
    4. Add a second claim rule.
    5. For the Claim rule template, choose Transform an Incoming Claim.
      TransformIncomingClaim.png
    6. From the Outgoing claim type menu, select Name ID.
    7. From the Outgoing name ID format, select Email.
  6. Go to Certificate.
    1. Select the Token-signing certificate and double-click the certificate:
      TokenSignCert.png


      A Certificate window opens:
      Certificate.png
    2. On the Certificate window, click the Details tab, and click Copy to File...
    3. Follow the Wizard prompts to export the file.
    4. On the Export File Format screen, choose Base-64 encoded X.509 (.CER) as the file format.
    5. Save the file.
  7. Return to the SSO page for the Roambi Business administration panel.
    1. In the Sign-In Page URL field, add the URL for the ADFS server, using the following format:

      https://[ADFS_Server]/adfs/ls/?

    2. For the Verification Certificate field, upload the ADFS Token-signing certificate file that you previously saved.
  8. Save your changes.

Note: For general ADFS troubleshooting tips, see the MSDN web site.

 
 

Keywords

KBA , BI-ROM-CLD-SRC , Roambi Cloud Service , Problem

Product

SAP Roambi Cloud all versions