Make the Xakia sign-in process easy for users by linking to your federated identity service with AD FS.
Xakia supports SSO via your organization's Active Directory Federation Services (AD FS) instance. Any version of AD FS that supports the OpenID Connect protocol is supported – that is, AD FS 2016 and AD FS 2019.
If your AD FS deployment is older than 2016 and only supports SAML, we recommend upgrading to a later version of AD FS that supports OpenID Connect. Xakia currently does not support SAML.
Setting up federation between your Xakia and AD FS instances requires the following steps below. You will need a Xakia administrator and an AD FS administrator in your organization to complete the setup.
In this article:
Setting up in Xakia
Click on 'Admin' in the top navigation menu
Select 'Security' on the left hand side menu
Select the 'Federated Identity' tab
In the 'Identity Provider' field, select 'AD FS'
Fill in the value of the AD FS URI field (e.g., https://your-org.com/adfs). Your IT administrator will be able to advise the AD FS URI for your organization
Ensure the 'Enable User Provisioning from Xakia' checkbox is checked
After saving, the Redirect URI field will populate with a value. Copy this as it will be used below
Leave the Client Id field blank for now, it will be filled in later
Setting up in AD FS
The steps below need to be completed in AD FS. Your IT administrator will be able to complete these steps. Upon completion of these steps, your IT administrator will need to advise the Client Id to be entered into Xakia.
In AD FS:
Open the AD FS management tool
Select 'Application Groups' on the left pane and click 'Add Application Group' on the right pane
Enter 'Xakia' as the name
Select 'Web browser accessing a web application' and click 'Next'
Paste the redirect URI value from Xakia above into the Redirect URI field, and click 'Add'
Copy the auto-generated Client Identifier - this will need to be provided in Xakia
Configure the access control policy as desired. The policy you use will depend on your organization's requirements. For example, for organizations that use the Internal Client Portal, you may consider permitting all users to sign in.
Click 'Next', 'Next' and 'Close'
Right-click your newly created Application Group and select 'Properties'
Select the Xakia - Web Application and click 'Edit'
Select the 'Issuance Transform Rules' tab
Add a Rule
Select 'Send LDAP Attributes as Claims' and click 'Next'
Enter a name under 'Claim rule name' e.g., 'Xakia'
Select Active Directory as your Attribute Store
Add the following LDAP Attributes with the following Outgoing Claim Types. Ensure the Outgoing Claim Type is selected from the drop-down list
LDAP Attribute: Given-Name; Outgoing Claim Type: Given Name
LDAP Attribute: Surname; Outgoing Claim Type: Surname
Finish and close
Enter the Client Identifier from AD FS in the Client Id field and save
Users that will sign in with AD FS must be provisioned manually in Xakia.
In the 'Users' tab on the 'Security' menu, use the 'Add User' button to add a user to Xakia
In the form that appears, use the Identity Provider drop-down box to select the AD FS instance that has been configured for your location
The newly added user can then be invited to join Xakia via email and must complete their registration
Once they have completed their registration they will be able to sign in with AD FS.
Existing users with Xakia identities can be switched over to use AD FS for authentication in the same way.
In the 'Users' tab on the 'Security' menu, click the 'Edit' button for a user
Use the Identity Provider drop-down box to select the AD FS instance that has been configured for your location
The next time this user attempts to sign in to Xakia, they will be redirected to AD FS to authenticate
Changes in user details
If an existing user's first name, last name, or email address changes in AD, note that this change is not immediately propagated to Xakia. This information is only updated in Xakia when the user signs in to Xakia again. In the meantime, Xakia will continue to use the user's old details.
Therefore, when a user's email address changes, they need to use their old email address to sign in to Xakia once. When this is done, their email address in Xakia will be updated to the new value, and from that point on, they can use their new email address to sign in to Xakia.
Consider the following example:
A user exists in AD FS and in Xakia with the email 'email@example.com'
When the user goes to sign in to Xakia, if they use 'firstname.lastname@example.org', Xakia will not recognize their account and they will not be able to log in
The user must use 'email@example.com' in Xakia to sign in first
When they successfully sign in once, their details including their email address will be updated in Xakia. At this point, Xakia now records the user's email as 'firstname.lastname@example.org'
From here on, the user can sign in to Xakia using their new email address: 'email@example.com'
To deactivate users that are set up by AD FS, you can follow the steps in this article.