How can I set up ADFS with Greenhouse Onboarding?

 * These instructions were created using Windows Server 2012 R2 and ADFS 3.0.


Before you begin configuring ADFS, please send the following information to Greenhouse:

  • Your Single Sign On URL
  • Your Single Log Out URL (Optional)
  • Your IdP Certificate Fingerprint

You will receive the following from Greenhouse:

  • Your Greenhouse Metadata file

 

Part One: Add Greenhouse as a Relying Party Trust

1. Navigate to your AD FS Management tool, then open the "Trust Relationships" folder in the left sidebar.

2. Within the "Trust Relationships folder, open the “Relying Party Trusts” folder.

3. Click "Add Relying Party Trusts" under the "Actions" bar on the right side of the screen. This will open the "Add Relying Party Trust" Wizard.



 4. On the Welcome page, click Start

5. On the "Select Data Source" page, select "Import data about the relying party from a file." Upload the Metadata file from Greenhouse.



6. Enter “Greenhouse Onboarding” as the Display Name, and add any additional notes that you’d like.

7. You’ll be given the option to set up Multi-factor authentication. This is isn't necessary for your Greenhouse configuration, but feel free to add it if you'd like.

8. Select "Permit all users to access this relying party."

9. The next page will be an overview of your configuration. Please confirm that the following attributes were set correctly before moving on:

    • The "Identifiers" tab should contain your Display name and Greenhouse’s Relying party identifier. The Relying party identifier will use your subdomain and will be of the format 'app.parklet.co'

 

    • The Endpoints tab will contain your SAML Assertion Consumer Endpoint. For Greenhouse, that URL will be 'https://onboarding.greenhouse.io/saml/{uid}/consume'

 

10. On the next page, make sure that the box is checked next to "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes."

 

Part 2: Create Claim Rules for Greenhouse

Closing the "Add Relying Party Trust" Wizard will automatically open the "Edit Claim Rules" Wizard for Greenhouse. Here, you'll configure the attributes that AD FS will send to Greenhouse.

1. Click Add Rule

2. Select "Send LDAP Attributes as Claims" from the drop-down menu.

3. Name the claim rule "LDAP Email" and select the "Active Directory" attribute store. Then, add the following rules:

  • Select "E-Mail-Addresses" in the LDAP Attribute column. Select "E-Mail Address"in the Outgoing Claim Type column.

4. You will now see the new rule in your list of claim rules for Greenhouse. Click Add Rule to add the next rule.

5. Select "Transform an Incoming Claim" from the drop-down menu.

6. Configure the following on the next page:

  • Name the claim rule "Email Transform"
  • Set the Incoming claim type to "E-Mail Address"
  • Set the Outgoing claim type to "Name ID"
  • Set the Outgoing name ID format to "Email"
  • Select "Pass through all claim values"

7. You'll now see both of your new rules in the list of claim rules for Greenhouse. Click Apply and OK to close the Wizard.


Part 3: Edit Trust Settings

The final step will be to edit the trust settings for Greenhouse.

1. On the "Relying Party Trusts" page of the AD FS Management Tool, select Greenhouse Onboarding from the list of Relying Party Trusts. Then, click Properties under the "Actions" bar on the right side of the page. 

2. In the Greenhouse Properties window, navigate to the "Advanced" tab. The Secure Hash Algorithm will automatically be set to "SHA-256." Change the Secure Hash Algorithm to "SHA-1."

 

Part 4 -  Set the NotBeforeSkew Parameter

When a user logs in through ADFS, the SAML Response to Greenhouse will contain "NotBefore" and "NotOnOrAfter" attributes that designate the timeframe during which the SAML Response is valid. However, the ADFS server clock and the Greenhouse server clock may become out of sync so that the timestamp of the SAML Response sets to a time earlier than the one established in the "NotBefore" attribute. In this case, the SAML Response will not be valid and the user will not be able to log in.

To ensure that your users aren’t affected by server synchronization issues, please set a skew of at least two minutes on the "NotBefore" attribute by following the instructions below:

1. Open your Powershell in ADFS.

2. Check the current NotBeforeSkew by running the following command in the Powershell:

Get-ADFSRelyingPartyTrust –identifier “app.parklet.co”

3. In the Powershell response, scroll to the attribute "NotBeforeSkew." The number next to the "NotBeforeSkew" will be the current time skew of that attribute in minutes.

4. Next, set the "NotBeforeSkew" to be 2 minutes by running the following command in the Powershell:

Set-ADFSRelyingPartyTrust –TargetIdentifier “app.parklet.co" –NotBeforeSkew 2

5. Check the new "NotBeforeSkew" by running the following command again:

Get-ADFSRelyingPartyTrust –identifier “app.parklet.co”

* The NotBeforeSkew should now be set to “2”.


Part 5 - Configure a Single Logout URL (Optional)

The final step is to configure a Single Logout URL. This is optional.

1. Open the "Greenhouse Onboarding Properties" dialogue box by clicking the Properties button in the "Actions" sidebar.

2. Navigate to the Endpoints tab. You'll see the ACS URL from Greenhouse's Metadata file in the list of Endpoints. To add a Single Logout URL, click Add SAML.

3. Configure the following in the "Add an Endpoint" window:

  • Set the Endpoint type to "SAML Logout"
  • Set Binding to "POST"
  • In the Trusted URL textbox, enter your Single Logout URL. 

4. You'll now see both the ACS URL from Greenhouse and your Single Logout URL on your list of Endpoints for Greenhouse. Click Apply, then click OK.

 

Have more questions? Submit a request

Comments

Powered by Zendesk