Objectives :
To help a customer configure ADFS to use for SSO Signin on Flow
Pre-requisites :
- Customer must be on a Pro plan, which supports SSO
- Customer must have access to their ADFS Server instance
Setup In ADFS :
Setup Relying Party Trust :
- Log into your ADFS instance and launch ADFS Management (Start -> Administrative Tools -> ADFS Management)
- Select Trust Relationships -> Relying Party Trusts
- Click on Add Relying Party Trust from the actions sidebar and start the wizard
- On the Select Datasource screen, click Enter data about relying party manually
- Provide this information for each screen
- On Specify Display Name screen, enter a display name (Flow SSO), select ADFS Profile, and click Next
- Skip Configure Certificate screen and click Next
- On Configure URL screen, select the box labelled Enable Support for the SAML 2.0 WebSSO protocol
- https://api.getflow.com/auth/saml/callback?organization_id=<organization_id>
- On Configure Identifiers screen, enter Relying Party Trust Identifier
- https://api.getflow.com
- Note : Copy the URL EXACTLY as given, no trailing backslashes
- Skip Configure Multi-factor Authentication (unless you want to configure this)
- Skip Choose Issuance Authorization Rules
- On Ready To Add Trust screen, review your settings and click Next
- On the final screen, make sure Open the Edit Claim Rules dialog checkbox is selected and click Finish
Creating Claim Rules :
After you create the relying party trust, you can create the claim rules and make minor changes that are not set by the wizard
- If the editor appears, Click Add Rule else, in Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule
- In the Claim rule template list, select the Send LDAP Attributes as Claims template, and click Next
- Create the following rule
- LDAP Attribute -> E-Mail Addresses
- Outgoing Claim Type -> E-Mail Address
- Enter a descriptive rule name
- Attribute Store -> Active Directory
- Click Ok
- Create another new rule by clicking Add Rule, this time select Transform An Incoming Claim as the template
- Enter a descriptive rule name
- Incoming Claim Type -> UPN
- Outgoing Claim Type -> Name ID
- Outgoing Name ID Format -> Email
- Pass through all claim values (leave as default)
- Click OK to create rule and then OK again to finish creating rules
Adjust Settings :
- In Relying Party Trusts list, double-click the relying party object that you created (or select Actions -> Properties while you have the Relying Party Trust selected)
- On the Endpoints tab, click on Add SAML
- Endpoint Type -> SAML Assertion Consumer
- Binding -> POST
- Trusted URL -> https://api.getflow.com/auth/saml/callback
- Click OK twice
Setup In Flow :
- Log into your Flow account https://app.getflow.com
- Click on Application Menu -> Administration -> Organization Settings
- Click on SSO tab on top, and enter the following
- Authentication URL : your Saml 2.0 endpoint URL which you should have, but the default location is at https://<yourdomain>.com/adfs/ls/
- Certificate : paste the entire x.509 certificate located at ADFS → Service → Certificates → Token-Signing
- Click on Save Settings
Raise A Support Ticket :
- After you have completed the steps above, raise a support ticket and let us know that you would want to enable SSO on your account
- You can raise a support ticket by sending an email to help@getflow.com
- You can also raise a support ticket via Flow, by clicking on Application Menu -> Need Help? We’re here