Note: this document has not been updated recently and may contain out-of-date information.
- Relying Add Party Trust
- Start Wizard
- In ADFS Console's Tree View on left hand side, Under "Trust Relationships", Right click the "Relying Party Trusts" folder and choose “Add Relying Part Trust…”
- Click the Start button to commence the Wizard
- Select Data Source
- Choose the “Enter data about the relying party manually” option
- Specify Display Name
- Enter a descriptive name in the “Display Name” field
Eg. TrackOne Learning Analytics - Enter other notes if you wish
- Enter a descriptive name in the “Display Name” field
- Choose Profile
- Leave the default “AD FS Profile” option selected
- Configure Certificate
- Don’t select anything
- Configure URL
- Don’t need to enable either options unless they are specific to your environment
- Configure Identifiers
- Enter the URL you use to access Learning Analytics in the following format and click “Add”
Eg. https://analytics.school.qld.edu.au
Eg. https://tass.school.qld.edu.au/TrackOne
- Enter the URL you use to access Learning Analytics in the following format and click “Add”
- Configure Multi-factor Authentication Now?
- Leave the “I do not want to configure” selection as-is
- Issuance Authorization Rules
- Leave the “Permit all users to access this relying party” option selected
Note you can update this later to restrict to a certain group however if a user doesn’t appear in the TrackOne admin console, they still won’t be able to access regardless of what’s configured here
- Leave the “Permit all users to access this relying party” option selected
- Ready to add trust
- Review settings as required
- Finish
- Leave the “Open the edit Claims rules dialog” option selected
- Start Wizard
2. Edit Claim Rules
- On the Issuance Transform Rules Tab, click the “Add Rule” button
- Choose Rule Type
- Leave “Send LDAP Attributes as Claims” selected
- Configure Claim Rule
- Enter a “Claim Rule Name”
Eg. Send SamAccountName as Name - Select the “Active Directory” attribute store from the dropdown.
Note if it isn’t in the drop down, cancel the wizard and restart it by selecting the Relying Part Trust you created, right clicking and choosing Edit Claim Rules - In the LDAP Attribute Column on the left, use the drop down menu to select “Sam-Account-Name”
- In the Outgoing Claim Type Column on the right, use the drop down menu to select “Name ID”
- Note that no other claims are required – TrackOne will use attribute supplied as Name to match with the “Username” field in their database and all other items are returned from the TrackOne database.
- Note that your “samAccountName” (your Windows Username) will need to match the username field within TrackOne’s user list. If TrackOne uses a different format for Username you might be able to:
- use a different Attribute on the left hand side that matches from AD (eg. User-Principal-Name for username@domain.qld.edu.au format in TrackOne)
- Update the usernames in Track One
- Create a more customized claim rule to modify the data being passed to TrackOne (Out of Scope of this document)
- Click Ok/Apply to exit the wizard and save the changes
- Enter a “Claim Rule Name”
3. Add Endpoint
- Access the properties page for the Relying party trust that has been created and choose the EndPoints tab
- Click the “Add SAML” button
- EndPoint Type
- Select “SAML Assertion Consumer”
- Binding
- Select “POST”
- Tick the box to enable “Set the trusted URL as default”
- Trusted URL
- Use the URL you access to Track One but add “/AuthServices/ACS” to the end of it
Eg. https://analytics.school.qld.edu.au/AuthServices/Acs or https://tass.school.qld.edu.au/TrackOne/AuthServices/Acs
- Use the URL you access to Track One but add “/AuthServices/ACS” to the end of it
4. Configure TrackOne
- In the admin User Management section of TrackOne, ensure you have a “Administrator” role account and that you know the local TrackOne password for. Reset it if you’re not sure.
- Go to Configuration > System > Login Tab
- Change the “Authentication Type” to “Single Sign On – SAML2”
- WS Fed Metadata field
- If you don’t know your ADFS Domain, visit another app and copy it from the browser
- Change the field to https://<adfsdomain>/FederationMetadata/2007-06/FederationMetadata.xml
Eg. https://adfs.school.qld.edu.au/FederationMetadata/2007-06/FederationMetadata.xml
- Client ID Field
- Enter the same URL you use to access Track One (also the same as what was entered in the “Configure Identifiers” step previous)
- Identity Provider Field
- Enter http://<adfsdomain>/adfs/services/trust
Eg. http://adfs.school.qld.edu.au/adfs/services/trust - Note the lack of “s” on http://
- Enter http://<adfsdomain>/adfs/services/trust
- Origin Field
- Enter the same as the Client ID Field
- Save Configuration
5. Restart
- Restart your TrackOne hosting server
- Note that you can also just restart IIS or recycle the TrackOne application pool if preferred and you know how
6. Test Sign In
Note that if you need to revert settings, login using https://<trackoneurl>/Login.aspx?attemptSSO=false and the account you ensured you had earlier.
If Errors are encountered on the ADFS pages, the application log on the ADFS server can be checked for more details and will potentially point to right direction of an area that has been missed or has typo.