SAML 2.0 integration for Microsoft ADFS

This documentation provides information required by Agendize to enable single-sign-on for your users into Agendize backoffice, based on SAML 2.0 protocol, with their credentials in Microsoft Active Directory Federation Services.


Contact us if you are interested in setting up SAML on Agendize for your business.


Note: login of your users should always be email addresses.

Overview

Here are the basic steps involved in the authorization workflow:

  1. The user tries to access to Agendize backoffice
  2. His/her web browser receives a redirect to your authentication server (ADFS)
  3. The user provides his/her credentials to log into your server
  4. Your server generates a SAML authentication response for the user login (including group memberships and related roles in Agendize backoffice)
  5. His/her web browser transfers the response back to Agendize
  6. Agendize backoffice sets the user in the proper context, matching his/her role and privileges

Requirements for SSO integration

1. Collect IDP (ID Provider) data on Microsoft ADFS

Parameters

Following information should be provided for setup:

Convert Token-Signing certificate to PEM

SSO certificate has to be converted to PEM format:

openssl x509 -inform DER -in certificate.cer -out certificate.pem -text


2. Configure SAML authentication on your Active Directory server

Following metadata file is provided beforehand to configure SSO service on your side. It should be declared on your Microsoft ADFS server:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="saml:agendize" ID="SP_a1107b59-5553-4028-82f3-b1c57356de4c">

<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://app.agendize.com/sso-login?method=logout&amp;provider=SAMLYOURCOMPANY"/>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.agendize.com/sso-login?method=login&amp;provider=SAMLYOURCOMPANY" index="1"/>

</md:SPSSODescriptor>

</md:EntityDescriptor>


Note: A callback URL will be assigned to your company to receive SAML responses back from your server. Callback URL has following pattern: https://app.agendize.com/apps.YOURCOMPANY/callback.jsp 

3. Match ADFS data schema with SAML 2.0 user properties and groups

User information

Here are the names of the user properties expected in your SAML responses:

Matching your data schema with these properties names should be configured with your ADFS server (see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization).

Assign your users to specific groups depending on their role in Agendize backoffice

Here are the group ID that can be assigned to your users depending on the privileges they need on the Agendize platform:

ID group
Description
ACCOUNT_ADMINISTRATOR
Account administrator
ACCOUNT_ANALYTICS
Account statistics manager
ACCOUNT_BILLING
Account billing manager
ACCOUNT_BUTTONS
Account buttons manager
ACCOUNT_SCHEDULING_ADMINISTRATOR
Scheduling administrator
ACCOUNT_SCHEDULING_READER
Scheduling viewer
ACCOUNT_SCHEDULING_SCHEDULDER
Scheduling manager
CALLS
Calls manager
CRM
CRM manager
EMAILS
Email marketing manager
FORMS
Forms manager
QUEUE
Queue manager