Add Microsoft ADFS as a single sign-on provider


Prerequisites:
  • Sso > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s ADFS account
  • User email addresses are the same in both ADFS and PureCloud
  • Any Microsoft ADFS version that supports SAML 2.0. There may be some differences in the configuration, depending on the version.

Add PureCloud as an application that organization members can access with the credentials to their Microsoft ADFS account.

Notes:
  • PureCloud does not support assertion encryption for single sign-on third-party identity providers. The PureCloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default PureCloud login and enforce authentication using an SSO provider only. For more information, see Configure PureCloud to authenticate with SSO only.

Configure Microsoft ADFS

Add a Relying Party Trust

  1. Go to Administrative Tools > AD FS
  2. In the console tree, go to AD FS > Trust Relationships > Relying Party Trusts.
  3. Click Add Relying Party Trust to launch the wizard.
  4. On the Choose Profile screen, click AD FS profile to select SAML.
  5. In the Configure URL screen, do the following steps:
    1. Click Enable support for SAML 2.0 WebSSO protocol.
    2. In the field below the check box, type the following URL, based on the AWS region where your PureCloud organization was created.

      AWS Region

      URL

      US East (N. Virginia)

      https://login.mypurecloud.com/saml

      US West (Oregon)

      https://login.usw2.pure.cloud/saml

      EU (Ireland)

      https://login.mypurecloud.ie/saml

      EU (Frankfurt)

      https://login.mypurecloud.de/saml

      Asia Pacific (Sydney)

      https://login.mypurecloud.com.au/saml

      Asia Pacific (Tokyo)

      https://login.mypurecloud.jp/saml

  6. In the Configure Identifiers screen, type a value for the Relying party trust identifier. The value can be any unique string that you want to use to identify the relying party trust. When a relying party is identified in a request to the Federation Service, AD FS uses prefix matching logic to determine if there is a matching party trust in the AD FS configuration database.
  7. Leave the Configure Encryption screen blank. PureCloud automatically provides the necessary encryption from the Relying Party Identifier.
  8. Leave all other settings at their defaults and click Close.

Add the claim rules

You must add three claim rules: Email, Email to NameID, and Org Name.

  1. On the Relying Party Trusts page, right-click the trust that you created in the previous procedure and select Edit Claim Rules.
  2. Add the Email rule:
    1. Click Add Rule
    2. Configure the claim rule with the following settings:

      For this property… Do this…
      Claim rule template Select Send LDAP Attributes as Claims.
      Claim rule name Type Email.
      Attribute store Select Active Directory.
      LDAP Attribute Select E-Mail Addresses.
      Outgoing claim type Select E-Mail Address.
    3. Click Finish.
  3. Add the Email to NameID rule:
    1. Click Add Rule.
    2. Configure the claim rule with the following settings:

      For this property… Do this…
      Claim rule template Select Transform an Incoming Claim.
      Claim rule name Type Email to NameID.
      Incoming claim type Select E-Mail Address.
      Outgoing claim type Select Name ID.
      Outgoing name ID format Select Transient Identifier.
      Pass through all claims Select Pass through all claims.
    3. Click Finish.

  4. Add the Org Name rule:

    1. Click Add Rule.
    2. Configure the claim rule with the following settings:

      For this property… Do this…
      Claim rule template Select Send Claims Using a Custom Rule.
      Claim rule name Type Org Name.
      Custom rule

      Enter the following text, and replace OrgName with the shortname of your PureCloud organization. The organization name is case-sensitive.  

      => issue(Type = "OrganizationName", Value = "OrgName");
    3. Click Finish.
  5. In the Issuance Transform Rules tab, make sure the rules are in the following order:
    1. Email
    2. Email to NameID
    3. Org Name

Get the certificate for PureCloud configuration

    1. In the console tree, go to AD FS > ServiceCertificates.
    2. Right-click the certificate under Token-signing and select View Certificate.
    3. Click the Details tab and click Copy to file.
    4. For the export file format, select Base-64 encoded X.509 (.CER).
    5. For the file name, do the following steps:
      1. Click Browse.
      2. Type a file name.
      3. Click Save.
    6. Click Finish.
    7. Open the certificate file with a plain text editor and do the following steps:
      1. Delete the -----BEGIN CERTIFICATE------ and ------END CERTIFICATE----- lines.
      2. Save the certificate file.

Get the metadata for PureCloud configuration

The metadata file contains the issuer (entityID) and the redirect URL for configuring PureCloud.

    1. In the console tree, go to AD FS >  Service > Endpoints.
    2. Find and download the file called FederationMetadata.xml.

Select authentication methods

Select the authentication methods for logging into PureCloud on the extranet and the intranet.

    1. In the console tree, go to AD FS > Authentication Policies.
    2. Under Primary Authentication > Global Settings, click Edit.
    3. Under Extranet, check Forms Authentication.
    4. Under Intranet, check Forms Authentication and Windows Authentication.
    5. Click OK.

Configure PureCloud

    1. In PureCloud, click Admin.
    2. Under Integrations, click Single Sign-on.
    3. Click the ADFS/Azure AD (Premium) tab.
    4. Enter the Identity Provider metadata gathered from Microsoft ADFS.

      In this field… Do this…
      Certificate

      1. Click Browse.
      2. Select the certificate you saved and click Open.

      Issuer URI Enter the entityID from the FederationMetadata.xml file.
      Target URI Enter the redirect URL from the FederationMetadata.xml file.
      Relying Party Identifier Add the unique identifier configured when adding the Relying Party Trust.
    5. Click Save.