You can read this article in Japanese (日本語) | Spanish (español)
Overview
This user guide shows you how to Integrate IdP with Dubber SSO for SAML IdP Initiated Login using AD FS as the identity provider. The steps below help you to email Dubber to start the process, configure relying party trust on the identity provider service, and configure claim rules.
Raise a Support Request
Email the Dubber Support team support@dubber.net with a request to implement IdP Initiated SAML SSO. Provide the SAML Metadata URL for your IdP, or the PEM encoded certificate and the IdP entityId.
Configure Relying Party Trust on the IdP
Confirm that the required certificates are imported in the AD FS Trusted Root Certificate Authorities folder.
The AD FS configuration process requires information for the “Relying Party Trust URL” and “Relying Party Trust Identifier”.
These values are based on the region of the connection. Use the values exactly as shown here.
Region | Relying Party Trust URL | Relying Party Trust Identifier |
AU | https://au.dubber.net | https://au.dubber.net/saml/auth |
CA | https://ca.dubber.net | https://ca.dubber.net/saml/auth |
JP | https://jp.dubber.net | https://jp.dubber.net/saml/auth |
US | https://us.dubber.net | https://us.dubber.net/saml/auth |
UK | https://uk.dubber.net | https://uk.dubber.net/saml/auth |
UK1 | https://uk1.dubber.net | https://uk1.dubber.net/saml/auth |
EU | https://eu.dubber.net | https://eu.dubber.net/saml/auth |
SG | https://sg.dubber.net | https://sg.dubber.net/saml/auth |
Sandbox | https://sandbox.dubber.net | https://sandbox.dubber.net/saml/auth |
To configure AD FS:
- Open the AD FS console.
- Click “Trust Relationships” to expand the folder.
- Right-click the “Relying Party Trusts” folder, then select “Add Relying Party Trust”.
- On the Add Relying Party Trust Wizard, click “Start”.
- On the “Select Data Source” page, click “Enter data about the relying party manually”, then click “Next”.
- On the “Specify Display Name” page, fill in the “Display Name” field. This is the name of the Relying Party Trust that the IdP displays in the menu for users. In the “Notes” field, provide a description for the relying party trust. Click “Next”.
- On the “Choose Profile” page, click “AD FS profile”, then click “Next”.
- On the “Configure Certificate” page, do not import any certificate. Click “Next”.
- On the “Configure URL” page, select the “Enable support for the SAML 2.0 WebSSO protocol” option, and enter the Relying Party Trust URL in the “Relying party SAML 2.0 SSO service URL” field. Click “Next”.
- On the “Configure Identifiers” page, enter relying party trust identifier in the “Relying party trust identifier” field, then click “Add”. Click “Next”.
- On the “Choose Access Control Policy” page, configure it to suit your requirements, then click “Next”.
- On the “Ready To Add Trust” page, go to the “Advanced” tab.
- In the “Secure hash algorithm” section, select “SHA-256”, then click “Next”.
Note: If you cannot select the secure hash algorithm from the “Relying Party Trusts” list, right-click the relying party trust that you created and select “Properties” option from the menu. On the “Advanced” tab, confirm that the secure hash algorithm is set to “SHA-256”. - Select the option to open “Edit Claim Rules” when you close the wizard. Click “Close”.
Configure Claim Rules
- Open the “Relying Party Trusts” and right-click on the entry that you created. Select “Edit Claim Issuance Policy”.
- Setup a rule to retrieve an appropriate attribute to use in the SAML Response Active Directory or other attribute store, and send it as the NameId claim. This attribute must match the Dubber userId value used to provision users in Dubber when using nameId type unspecified or the Dubber username (email) when using nameId type email.
Example:
Template: Send LDAP Attributes as Claims
Claim Rule Name: Get LDAP Claims
LDAP Attribute: SAM-Account-Name
Outgoing Claim Type: NameID
Note: If the “Outgoing Claim Type” is not in the menu, enter a value or copy and paste the NameID into the field. - Setup another rule to send the NameID value in the SAML Response with the correct format and in lowercase.
Example:
Template: Send Claims using a Custom Rule
Claim Rule Name: NAME to NameId
Custom Rule: c:[Type == "NameID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(c.Value, "A", "a"), "B", "b"), "C", "c"), "D", "d"), "E", "e"), "F", "f"), "G", "g"), "H", "h"), "I", "i"), "J", "j"), "K", "k"), "L", "l"), "M", "m"), "N", "n"), "O", "o"), "P", "p"), "Q", "q"), "R", "r"), "S", "s"), "T", "t"), "U", "u"), "V", "v"), "W", "w"), "X", "x"), "Y", "y"), "Z", "z"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
Notes:
- The type named in “[Type == "NameID"]” must match the “Outgoing Claim Type” you specified in the rule you created to get LDAP claims.
- You can use urn:oasis:names:tc:SAML:1.1:nameid-format:email in the properties if you are using an email address as the nameId value.
- Click “Finish”.
- In the “Edit Claim Rules” window, click “OK” to save the rule.