Configure Definitiv for SSO:
Log in to Definitiv and navigate to Admin, Miscellaneous, SSO Config. If you don’t see these navigation items, you may not have the required permissions. Please review your current user permissions, or raise a support case.
Ensure Enable SSO is off for now. It will be enabled at the end once the ADFS side is set up.
Enter your ADFS server’s federation metadata address in the Identity Provider Federation Metadata URL field. For an ADFS server, the address typically follows this pattern: https://adfs.mycompany.com.au/FederationMetadata/2007-06/FederationMetadata.xml
Enable both Sign Assertion and Encrypt Assertion (ADFS supports both these features, so we always recommend enabling them).
Make note of the Service Provider Federation Metadata URL value, this will be used next within the AD FS configuration.
Save changes.
Set up the Relying Party Trust
The first step is to set up the Definitiv application as a Relying Party (SAML Service Provider):
Log in to your AD FS server, and open the AD FS Management application.
Click Add Relying Party Trust… in the right-hand Actions sidebar.
Enter the Service Provider Federation Metadata URL from the Definitiv configuration into the Federation metadata address field and click Next.
Feel free to change the display name, or add notes (this does not impact any part of the SSO process) and click Next.
Leave MFA off (Definitiv has its own MFA solution, even with SSO logins), and click Next.
Permit all users to access this relying party, and click Next (You can restrict this down in a later step, but as the Definitiv SSO feature requires the user account to exist, there is no risk in allowing all domain users access as only users with Definitiv accounts will be allowed access).
Review the setup information and then click Next.
Click Close and wait for the Edit Claim Rules dialog to open.
Setup the Outgoing Claims
The final step is to set up a rule that will populate the ‘Name ID’ field of the SAML SSO response with the email address of the domain user that matches their Definitiv username. The below steps show a common approach, but it may differ depending on your AD/LDAP setup.
Note that Definitiv will not auto-provision new accounts when it encounters unknown email addresses, it will simply fail the SSO login and the user will be presented with a message to contact their administrator.
If the Edit Claim Rules dialog is not open from the previous steps, right-click on your Definitiv relying party trust and click Edit Claims Rules.
Add a new rule (on the Issuance Transform Rules tab).
Select Send LDAP Attributes as Claims and click Next.
Enter a rule name (eg. ‘Email address as Name ID’)
Select your Attribute Store (eg. Active Directory)
Select the LDAP attribute that stores the AD user’s email address that will match their user account within Definitiv. This is often under User-Principal-Name but may differ based on your AD setup.
Select Name ID as the Outgoing Claim Type.
Click Finish.
Enable SSO
Before enabling SSO, we recommend that you set up a local (i.e., Non-SSO) admin account so you can always access the Definitiv SSO Config page again even if your SSO solution is not working.
Once the user account is set up, ensure the user’s corresponding username (email address) is added to the exclusion list in the Who Uses SSO field on the Definitiv SSO Config page.
Back in Definitiv, Admin, Miscellaneous, SSO Config, enable SSO, and save.
You should now be able to confirm SSO is working by logging out, entering your domain username, and logging in within your ADFS login page (or being redirected straight into Definitiv if you are already logged in within ADFS).
Troubleshooting
Your ADFS server’s Event Viewer will contain logs of any errors that may occur during the SAML protocol. They are located within the Application and Services Logs/AD FS/Admin node.
If there are no errors within the AD FS server but you are still experiencing SSO errors, it is possible that the error is occurring within the Definitiv application. In this case please raise a support case in the Customer Portal so it can be investigated further.