This article will provide guidance on the steps required for SAML Integration with ClickView. It is important to understand that the SAML Integration process is a HTTPS only process and customers must ensure that they possess at least a 2048-Bit RSA Certificate from a reputable Certificate Authority.
Currently ClickView supports Single Sign-On (SSO) integration for most SAML2 Protocol based authentication systems including but not limited to Active Directory Federation Services (ADFS), Shibboleth 2.0, WS-Federation, and PingIdentity.
Integration Process with Microsoft ADFS 2.0 / 3.0
Prior to undertaking the below, please ensure your ADFS 'Organisation' information is published with your Federation Metadata.
To verify / populate this, right-click on the 'ADFS' folder in the top left hand pane -> 'Edit Federation Service Properties':
Within this section, click on the 'Organization' tab, this should present you with the following:
Please ensure the 'Publish Organization information in federation metadata' box is ticked, and that all 'Support contact information' boxes are populated with valid data - this is mandatory.
Customers running an Active Directory with functional level of 2003 or higher will be able to take advantage of Microsoft's ADFS System for integrating with ClickView. We support ADFS on Windows Server 2008R2 (ADFS2.0) up to Server 2016(ADFS4.0). Below is a brief walk-through on how the ADFS Service can be installed on a Windows 2008 R2 Server:
1. Open Start
2. Click Administrative Tools
3. Click AD FS 2.0 Management or AD FS 3.0 Management
4. Click AD FS Federation Server Configuration Wizard
5. Create a new Federation Service
7. New Federation Server Farm - Choose this option all the time even if you only plan on deploying one server. If stand-alone federation server is chosen, then you will not be able to add a new server to your AD Network.
8. Click Next
9. SSL Certificate - This should be pre-populated. If not please assign your SSL Certificate to the Default Website created in IIS
10. Federation Service Name - This should match the SSL certificate name
11. Click Next
12. Enter the AD FS service account name and password
13. Click Next
14. Click Next.
15. If the name of the federation service is already in use you might be presented with an error: “The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.” You’ll have to use setspn.exe to set the proper SPN.
Configuring Federation Trust with ClickView Online
Now that the ADFS Service has been installed you are ready to setup the Relying Party Trust.
- Select Relying Party Trusts
- Click Add Relying Party Trust
- Click Start and then select 'Enter data about the relying party manually':
- Enter the 'Display name:' as 'ClickView'-> Click 'Next' -> Select the 'AD FS profile' option ->Click 'Next' ->Click 'Next' ->Click 'Next':
(NOTE: No checkboxes are required to be ticked on this page, proceed by clicking 'Next':)
- Enter the ClickView entityID URL in the 'Relying party trust identifier' field -> Click 'Add' according to your region as per below:
AU: https://saml-in5.clickview.com.au/shibboleth
UK: https://saml-in3.clickview.co.uk/shibboleth
NZ: https://shibboleth.clickview.co.nz/shibboleth
US: https://saml-in1.clickview.us/shibboleth
(NOTE: Example below shows setup for Australian region)Once EntityID is added, click 'Next':
In this step, a choice of setting up MFA is given, once desired setup is selected; proceed by clicking 'Next':
Select the option of 'Permit all users to access this relying party' and Click 'Next':
(NOTE: no fields are required to be populated here, proceed by clicking 'Next':)
Upon clicking 'Close', you will be redirected to setup Claim rules as described in the below section:
Creating Claim Rules for Exposure over SAML ADFS 2.0 / 3.0
For successful ADFS Integration with ClickView we require the following attributes exposed:
- Email Address
- Given Name
- Last Name
- Display Name
- Member Of (Group Membership)
During the authentication process the user's group membership is enumerated and the respective group membership that is mapped to ClickView Online is chosen.
In accordance with the SAML2 protocol the following rule templates must be used when exposing the above attributes over ADFS.
- click Add Rule
- Select 'Send Claims Using a Custom Rule' from the Claim Rule Template Drop-down and click 'Next':
- For each of the above claim rules explained above enter the corresponding Claim Rule name and the Custom Rule as per below:
Claim Rule Name |
Custom Rule |
Email Address |
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("urn:oid:0.9.2342.19200300.100.1.3"), query = ";mail;{0}", param = c.Value); |
Given Name |
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("urn:oid:2.5.4.42"), query = ";givenName;{0}", param = c.Value); |
Display Name |
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("urn:oid:2.16.840.1.113730.3.1.241"), query = ";displayName;{0}", param = c.Value); |
Member Of |
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("urn:oid:1.2.840.113556.1.2.102"), query = ";memberOf;{0}", param = c.Value); |
Surname |
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("urn:oid:2.5.4.4"), query = ";SN;{0}", param = c.Value); |
Exposing additional claim rules
The claim rules described in step 3 above are the minimum required claim rules for the basic user identification, however for sending any additional attributes for the purpose of campus/school/institution identification can be released by using the following custom templates:
I. Using the claim urn:oid format
c:[Type == "http://schemas.microsoft.com/ws/ABCD/XY/identity/claims/XXX"]
=> issue(store = "Active Directory", types = ("urn:oid:X.X.X.XX"), query = ";givenName;{0}", param = c.Value);
II. Using the claim name format
c:[Type == "http://schemas.microsoft.com/ws/ABCD/XY/identity/claims/XXX"]
=> issue(store = "Active Directory", types = ("XXX"), query = ";givenName;{0}", param = c.Value);
Where:
ABCD/XY = Schema/Standard
X.X.X.XX = urn:oid for the corresponding claim
XXX = claim name
NOTE: For identifying the schema of your desired attribute, please refer to What are claim types?
Other methods for exposing claims and attributes:
Please refer to the official Microsoft documentation below, which will guide you through the process of enabling claims and attributes, via different methods listed below:
A. Create a Rule to Send LDAP Attributes as Claims
B. Create a Rule to Send Group Membership as a Claim
C. Create a Rule to Transform an Incoming Claim
D. Create a Rule to Send an Authentication Method Claim
E. Create a Rule to Send Claims Using a Custom Rule
NOTE: Please include the name(s) of any additional attributes which are exposed for campus/school/institution in the Onboarding Form.
- Once the above attributes have been mapped please click on 'Properties' for the ClickView relying patry trust and select 'Endpoints':
- Click on the 'Add SAML' button -> Click on 'Binding' drop-down menu to select 'POST' -> Click on 'Index' drop-down menu to select '1' -> Enter the POST URL of your region as per below:
ClickView POST URLs
AU: https://saml-in5.clickview.com.au/Shibboleth.sso/SAML2/POST
UK: https://saml-in3.clickview.co.uk/Shibboleth.sso/SAML2/POST
NZ: https://shibboleth.clickview.co.nz/Shibboleth.sso/SAML2/POST
US: https://saml-in1.clickview.us/Shibboleth.sso/SAML2/POST
(NOTE: Example below shows setup for Australian region)
- Click on 'Add SAML...' button once again -> Click on 'Binding' drop-down menu to select 'Artifact' -> Click on 'Index' drop-down menu to select '3' -> Enter the Artifact URL of your region as per below:
ClickView Artifact URLsAU: https://saml-in5.clickview.com.au/Shibboleth.sso/SAML2/Artifact
UK: https://saml-in3.clickview.co.uk/Shibboleth.sso/SAML2/Artifact
NZ: https://shibboleth.clickview.co.nz/Shibboleth.sso/SAML2/Artifact
US: https://saml-in1.clickview.us/Shibboleth.sso/SAML2/Artifact
(NOTE: Example below shows setup for Australian region)
SSO Onboarding: Submitting your information
To start a new onboarding form, please click on your region: