Enable Active Directory Federated Service Integration (SSO)
Everhour provides an easy-to-use integration with Active Directory Federated Service (AD FS) to support SSO for you or everyone in your team.
- SSO using AD FS is available on our Team Plan
- Team owner or admin will need to first enable SSO
- An AD FS Admin account
Acquire Your X.509 Certificate
- Log in to AD FS 2.0 server and open the Management Console.
- Right-click Service and choose Edit Federation Service Properties....
- Confirm that the General settings match your DNS entries and certificate names.
- Browse the certificates and export the Token-Signing certificate.
4.1. Right-click the certificate and select View Certificate.
4.2. Select the Details tab.
4.3. Click Copy to File....
4.2. Select the Details tab.
4.3. Click Copy to File....
The Certificate Export Wizard launches.
4.4. Select Next.
4.5. Ensure No, do not export the private key is selected, and then click Next.
4.6. Select Base-64 encoded X.509 (.CER), and then click Next.
4.7. Select where you want to save the file and give it a name. Click Next.
4.8. Select Finish.
5. Locate the .CER file you just saved, right-click on it and select Open with... then open it
6. You will use this text to complete the SAML setup up in the Everhour admin settings.
Configure your AD FS Relying Party Configuration
1. Open the AD FS 2.0 Management console.
2. In the folder directory on the left, select Relying Party Trusts.
3. Select Add Relying Party Trust... from the top right corner of the window.
The add wizard appears.
4. Click Start to begin.
5. Select Enter Data about the relying party manually.
6. Give it a display name such as Everhour and enter any notes you want, then click next.
7. Select AD FS Profile. The description will mention SAML 2.0 protocol.
8. Do not select a token encryption certificate on the Configure Certificate step, just click Next.
9. Do not enable any settings on the Configure URL step.
10. Enter https://app.everhour.com as the Relaying Party trust identifier and click Add.
11. Select that you do not want to configure multi-factor.
12. Permit all users to access this relaying party.
13. Do not make any changes on the Ready to Add Trust step, just click Next.
14. Clear the check box before you Close this page.
Add Endpoints to your Relying Party Trust
1. Right-click on the Relying Party Trusts and select Properties.
2. Locate the Endpoints tab and click Add SAML.
3. Add a SAML Assertion Consumer with a POST binding and a URL of https://app.everhour.com/-/saml/consume
Find Your Login-URL
- Open the “Endpoints” folder
- Look for the endpoint with Type = SAML 2.0/WS-Federation
- Configuration settings as the Sign-in page URL will be “https:<Your Domain Path>/<Endpoint URL Path>”. For Example: https://adfs.mybiz.com/adfs/ls/
4. Make a note of this somewhere, you will need this info for settings in Asana.
AD FS Relaying Party Claim Rules
NOTE: Users in ADFS LDAP must have an email address in the email field. User ID or User Names that are emails address will not work.
Edit the Claim rules to enable proper communication with Everhour.
1. Right-click on the Relaying Party Trusts and select Edit Claim Rules.
2. On the Issuance Transform Rules tab select Add Rules.
3. Select Send LDAP Attribute as Claims as the claim rule template to use.
4. Give the Claim a name such as Get LDAP Attributes. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address, then click Finish.
5. Back on the Issuance Transform Rules, click Add Rule... to add a second rule.
6. Select Transform an Incoming Claim as the claim rule template to use.
7. Give it a name such as Email to Name ID. Incoming claim type should be E-mail Address. The Outgoing claim type is Name ID and the Outgoing name ID format is Email. Pass through all claim values and click OK.
You are now ready to configure SAML on your Everhour using the Sign In Page URL and X.509 Certificate from the sections above. Head back to the Everhour to finish setup.