You'll learn how to configure SSO on your CHEQROOM account using ADFS:
Enable ADFS integration
- Log in to your CHEQROOM account
- Go to Settings
- Go to Integrations
- Find the SSO ADFS integration and click Configure
- Choose a Default user role, this will be assigned to a user who logs in through ADFS SSO but has no assigned role. Here we recommend to use a role that hasn't got a lot of permissions (for example the Equipment Viewer role)
- Fill in the Domains field, by default we already add the domain of your email address. In some cases it can be that you have multiple email domains (f.e firstname.lastname@example.org and email@example.com), then you need to add both domains.
- Click Next to proceed to the ADFS setup.
Part 1: Add a Relying Party Trust
Go to AD FS Management and in the left navigation pane, click Add Relying Party Trust...
On the 'Welcome page', Click Start
Select Enter data about the relying party manually, then click Next
Enter a display name (like "CHEQROOM") and any optional notes, then click Next
Select AD FS profile as the configuration profile, then click Next
Click Next on the 'Configure Certificate' page
For the 'Configure URL' page, check Enable support for the SAML 2.0 WebSSO protocol and copy paste this value from the ADFS Integration settings page, then click Next
For the 'Configure Identifiers' page, copy paste this value from the ADFS Integration settings page, then click Add and afterwards Next
On the 'Configure Multi-factor Authentication Now?' page, select I do not want to configure multi-factor authentication settings for this relying party trust at this time, then click Next
On the 'Choose Issuance Authorization Rules' page, select Permit all users to access this relying party, and click Next
On the 'Ready to Add Trust' page, click Next
On the final screen, check Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, then click Close
In the 'Edit Claim Rules for CHEQROOM' dialog, go to the Issuance Transform Rules tab and then click Add Rule...
From within the Add Transform Claim Rule Wizard, select Send LDAP Attributes as Claims rule template in the dropdown and then click Next
Give your claim rule a name (like "CHEQROOM Claims"), select Active Directory from the attribute store dropdown and map the following fields:
- LDAP attribute E-Mail-Addresses to outgoing claim type E-Mail Address
- LDAP attribute User-Principal-Name to outgoing claim type Name ID
Click Finish to add the claim rule.
Part 2: Add Metadata URL
After you have completed these steps, you need to go back to the ADFS Integration page and enter your ADFS Federation Metadata URL (like "https://YOUR_DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml"), then click Enable SSO
You should now have a working ADFS SSO implementation for CHEQROOM.
To make sure SSO is working properly, perform these steps:
- Log out and close CHEQROOM browser sessions you have open
- Go to https://app.cheqroom.com/sso
- Enter your email address
- You should now be redirected to your ADFS login page
- Enter your credentials
After entering your credentials, you should be redirect and logged in to CHEQROOM.
You can find an overview of the possible roles you can configure on the ADFS Integration settings page on the Configure roles step.
Assigning Super Admin role
Go to AD FS Management, expand Trust Relationships and select Relying Party Trusts, then select the Relying Party Trust we've created previously for CHEQROOM and click Edit Claim Rules... in the left navigation pane.
Click Add Rule...
On the Choose Rule Type page, select Send Group Membership as a Claim and click Next
Enter a rule name that describes the role rule that you will be configuring (like "Super Admin Role") and click Browse... to select the user group that we want to assign the Super Admin role (like "CHEQROOM_SUPER_ADMINS") and click OK.
Select Role as outgoing claim type
For the outgoing claim value, we need to copy paste the Super Admin value from the ADFS Integration settings page and then click Finish
If you now login with a user that's assigned to the CHEQROOM_SUPER_ADMINS group, they will be assigned to Super Admin role.
If you want to configure another role assignment, just follow the same steps like above for the Super Admin role.