- ADFS
- A UserVoice plan that includes SAML Single Sign-On
- A UserVoice account and admin login
1. Configure UserVoice as a Relying Party in ADFS 4.0
In this section, you will enable ADFS single sign-on in the ADFS Management Console and configure single sign-on in your UserVoice application. The UserVoice Metadata.xml for your instance may come in handy. Find it at https://<subdomain>.uservoice.com/saml/metadata.xml
.
To configure ADFS single sign-on with UserVoice, perform these steps:
- Open the AD FS 2.0 Management Console and select Add Relying Party Trust to start the Add Relying Party Trust Wizard and then click ‘Start’.
- Make sure the Claims aware radio button is selected and then click the ‘Start’ button to continue.
- Select the Import data about the relying party published online or on a local network radio button and enter your UserVoice metadata URL:
https://<subdomain>.uservoice.com/saml/metadata.xml
.- If you receive an error, select Enter data about the relying party manually.
- Choose and enter a Display Name (e.g. UserVoice) for this Relying Party and any additional notes you may want. Click ‘Next’ to continue.
- Choose the Permit everyone access control policy and then click ‘Next’ to continue. You may optionally select another access control policy to permit only a smaller subset of users and/or require multi-factor authenticator (MFA) if needed, but these other access control policies will not be covered in this article.
- On the ‘Ready to Add Trust’ page, review all of the tabs and make sure the information looks correct. It’s a good idea to visit the Encryption and Signing tabs, view each certificate, and make sure it is trusted. You may need to add the cert(s) to your Trusted Root Certification Authorities before ADFS will allow this Relying Party to be used. Once you are sure that everything looks good, click ‘Next’ to continue.
- On the ‘Finish’ page, make sure the Configure claims issuance policy for this application radio button is checked on and then click ‘Close’.
2. Configuring Claim Rules
In this section, you will tell ADFS which User attributes to send to UserVoice, in the SAML request.
- Click the Add Rule button.
- Select Send LDAP Attributes as Claims and click ‘Next’.
- Enter a name of your choice for the rule.
- UserVoice expects the following attributes. Map them as they appear in Active Directory to the value UserVoice is expecting:
- emailaddress (required)
- guid -- do NOT use user email
- display_name
- Click ‘finish’ to save the rule, and ‘OK’ to save the settings.
3. Export the ADFS token signing certificate
- In the ADFS Management Console, click the Certificates folder and double-click on the Token Signing certificate.
- Click the Details tab and the Copy To File button.
- Export the certificate as Base-64 encoded X.509 (.CER).
- Name the certificate, e.g. ‘UserVoice.cer’.
4. Configure UserVoice
- In a new browser tab/window, log in to your UserVoice Admin Portal.
- Once logged in, click the Settings Cog in the bottom-left corner.
- Click on the General tab, scroll down to Access and click User authentication.
- On the User Authentication dialog page, perform the following steps:
- Check the Single Sign-On (SSO) radio box.
- Paste the ADFS Single Sign-On Service URL value into the SSO REMOTE SIGN-IN URL text box.
- (Optional) Paste the ADFS Sign Out URL value into the SSO REMOTE SIGN-OUT URL text box.
- In the SAML SINGLE SIGN ON section, upload the ADFS token signing certificate:
- Click ‘Choose File’.
- Navigate to the ‘UserVoice.cer’ certificate you downloaded earlier, and select it.
- Click ‘Save’.
Testing
To begin testing your SSO implementation, follow these steps:
- Open an Incognito Browser Window (or sign out of UserVoice and your ADFS Directory and open a new window).
- Go to your UserVoice Forum Portal (e.g. https://.uservoice.com).
- If you are not immediately presented with an ADFS login page, click Sign in (top-right corner). A popup window should appear. Enter the email address and password of a user that has permission to access to the UserVoice Application. Click Sign In.
- If successful, you should be granted access, and taken to the home page. You have successfully setup ADFS Single Sign-On for UserVoice.
If you are unsuccessful, reread this guide, verify your configuration and test again. If you are still unsuccessful, see Troubleshooting below.
Troubleshooting
If you are unsuccessful, reread this guide, verify your configuration and test again. If you are still unsuccessful, see our SAML Troubleshooting Guide.