Before starting working on Active Directory Federation Services (ADFS), let us see how to install and then configure it on your system and then get ready to work on it with OpKey.
Installing ADFS o Windows Server 2012 R2
ADFS is a well-known service for providing Single-Sign-On (SSO) facilities to multiple web applications using a single Active Directory account.
Follow below-given steps to install ADFS on Windows Server machine:



Note: Web Application Proxy role and ADFS cannot be installed on the same computer.






Configuring ADFS on Windows Server 2012 R2
Follow below given steps to configure the ADFS




Note: If you are installing ADFS on a Domain Controller or want to use a different FQDN for ADFS than the server you will need to ensure the name you enter has a DNS Record created.
Note: If you imported a certificate, you can see it is added to your Personal Certificates.

PowerShell Commands:

Note: Ensure this user account is added to the local administrators group of your ADFS server. It is required to setup Microsoft Web Application Proxy.

Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\




Let us see if ADFS is working properly.

https://adfs.virtualtesting.com/adfs/ls/idpinitiatedSignOn.aspx

Adding a Relying Party Trust
(1) Open Server Manager > Navigate to the Tools menu > click on it and select ADFS Management option from dropdown.

(2) Click on Add Relying Party Trust under Trust Relationships of AD FS in ADFS management sidebar.

(3) Add Relying Party Trust Wizard opens. In the Welcome screen, click Start to continue.
(4) Click Start to continue.

(5) Select the Enter data about the relying party manually option in the Select Data Source screen.
(6) Click Next to continue.

(7) Specify Display Name screen appears. Enter a Display Name to recognize the trust, such as Test Environment, and add any notes you want to make.
(8) Click Next to continue.

(9) Select the AD FS profile option in the Choose Profile screen.
(10) Click Next to continue.

(11) Leave the certificate settings at their default values in the Configure Certificate screen.
(12) Click Next to continue.

(13) Select the option Enable Support for the SAML 2.0 WebSSO protocol and enter the SAML 2.0 SSO service URL in the Configure URL screen. (Format should be – https://<your-mattermost-url>/login/sso/saml where https://<your-mattermost-url>)
(14) Click Next to continue.

(15) Enter the Relying party trust identifier (also known as the Identity Provider Issuer URL) in the Configure Identifiers screen. (Format should be – https://<your-idp-url>/adfs/services/trust).
(16) Click Add to add the entered Relying party trust identifier in the list.

(17) From here at Configure Multi-factor Authentication Now screen, you can enable multi-factor authentication.
(18) Click Next to continue.

(19) Select the option Permit all users to access this relying party in the Choose Issuance Authorization Rules screen.
(20) Click Next to continue.

(21) You can review your settings in the Ready to Add Trust screen.
(22) Click Next to continue.

(23) From this Finish screen, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option, and .
(24) Click Close.

Create Claim Rules
(1) Launch Edit Claim Rules for Test Environment. Open the Issuance Transform Rules tab and click the Add Rule… button.

(2) Add Transform Claim Rule Wizard opens.
(3) Select Send LDAP Attributes as Claims from the drop-down menu inn the Choose Rule Type screen. Click Next to continue.

(4) Enter a Claim Rule Name of your choice, select Active Directory as the Attribute Store in the Configure Claim Rule window.

(5) Fill the required fields in Mapping of LDAP attributes to outgoing claim types as mentioned below:
The FirstName and LastName attributes are optional.
Note: The entries in the Outgoing Claim Type column can be chosen to be something else. They can contain dashes but no spaces.
(6) Click Finish to add the rule.

(7) Here, you can see that the added Claim Rule is displaying in the list.
(8) Click Apply and then OK to continue.

(9) Create another new rule by clicking the Add Rule button.
(10) In the Choose Rule Type screen, select Transform an Incoming Claim from the drop-down menu.
(11) Click Next to continue.

(12) Enter the desired Claim Rule Name in the Configure Claim Rule page.
(13) Moreover, select the Pass through all claim values option. Click Finish.

(14) Here, you can see that the added Claim rule name is displaying in the list.
(15) Click on Apply and then OK to continue.

(16) Here, all the added Relying Party Trust are displaying in the list.

(17) Right click on your Relying Party Trust and then click on the Properties option.
(18) Select the Endpoints tab & then select your endpoint to open it.

(19) Select Redirect in Binding. Click OK to finish.

(20) Open your ADFS URL on the web browser.
(21) Select your site from Sign into one of the following sites option, on which you want to login through ADFS.
(22) Click on Sign In to proceed.

(23) Enter your valid ID & Password to login successfully.

(24) You logged in successfully. Select your project on which you wish to work.

Configure SAML sign-in for OpKey
Getting started with SSO feature in OpKey





Group Management
Group Management under Admin Console of OpKey allows you to manage groups of users. Here you can view the list of existing Groups along with details alike Service Provider, Name, Projects, OpKey Admin privileges & Actions. You can edit & delete existing groups as per requirement but you should have Admin privileges to do that.




Enter your valid ID & Password to login successfully.

You logged in successfully. Select your project on which you wish to work.
