Make the Xakia sign-in process easy for users by linking to your federated identity service with AD FS.
Xakia supports SSO via your organization's Active Directory Federation Services (AD FS) instance. Any version of AD FS that supports the OpenID Connect protocol is supported – that is, AD FS 2016 and AD FS 2019.
If your AD FS deployment is older than 2016 and only supports SAML, we recommend upgrading to a later version of AD FS that supports OpenID Connect. Xakia currently does not support SAML.
Setting up federation between your Xakia and AD FS instances requires the following steps below. You will need a Xakia administrator and an AD FS administrator in your organization to complete the setup.
In this article:
- Setting up in Xakia
- Setting up in AD FS
- Provisioning users
- Changes in user details
- Deactivating users
Setting up in Xakia
- Click on 'Admin' in the top navigation menu
- Select 'Security' on the left hand side menu
- Select the 'Federated Identity' tab
- In the 'Identity Provider' field, select 'AD FS'
- Fill in the value of the AD FS URI field (e.g., https://your-org.com/adfs). Your IT administrator will be able to advise the AD FS URI for your organization
- Ensure the 'Enable User Provisioning from Xakia' checkbox is checked
- Click 'Save'
- After saving, the Redirect URI field will populate with a value. Copy this as it will be used below
- Leave the Client Id field blank for now, it will be filled in later
Setting up in AD FS
The steps below need to be completed in AD FS. Your IT administrator will be able to complete these steps. Upon completion of these steps, your IT administrator will need to advise the Client Id to be entered into Xakia.
In AD FS:
- Open the AD FS management tool
- Select 'Application Groups' on the left pane and click 'Add Application Group' on the right pane
- Enter 'Xakia' as the name
- Select 'Web browser accessing a web application' and click 'Next'
- Paste the redirect URI value from Xakia above into the Redirect URI field, and click 'Add'
- Copy the auto-generated Client Identifier - this will need to be provided in Xakia
- Click 'Next'
- Configure the access control policy as desired. The policy you use will depend on your organization's requirements. For example, for organizations that use the Internal Client Portal, you may consider permitting all users to sign in.
Note: Allowing users to sign-in does not affect your billing in Xakia. You are only billed for users that are explicitly provisioned in Xakia, as outlined below.
- Click 'Next', 'Next' and 'Close'
- Right-click your newly created Application Group and select 'Properties'
- Select the Xakia - Web Application and click 'Edit'
- Select the 'Issuance Transform Rules' tab
- Add a Rule
- Select 'Send LDAP Attributes as Claims' and click 'Next'
- Enter a name under 'Claim rule name' e.g., 'Xakia'
- Select Active Directory as your Attribute Store
- Add the following LDAP Attributes with the following Outgoing Claim Types. Ensure the Outgoing Claim Type is selected from the drop-down list
- LDAP Attribute: Given-Name; Outgoing Claim Type: Given Name
- LDAP Attribute: Surname; Outgoing Claim Type: Surname
Note: Xakia requires users' email addresses to be used as the UPN. If users' email addresses are always the same as the user's UPN, then no further action is required. However, if users email addresses are different to the UPN in your AD FS configuration, you will need to add a third claims mapping as follows:
- LDAP Attribute: E-Mail Addresses; Outgoing Claim Type: UPN
Note: This step is required even if you have Alternative Login ID configured
- Finish and close
- Enter the Client Identifier from AD FS in the Client Id field and save
Users that will sign in with AD FS must be provisioned manually in Xakia.
- In the 'Users' tab on the 'Security' menu, use the 'Add User' button to add a user to Xakia
- In the form that appears, use the Identity Provider drop-down box to select the AD FS instance that has been configured for your location
- The newly added user can then be invited to join Xakia via email and must complete their registration
- Once they have completed their registration they will be able to sign in with AD FS.
Existing users with Xakia identities can be switched over to use AD FS for authentication in the same way.
- In the 'Users' tab on the 'Security' menu, click the 'Edit' button for a user
- Use the Identity Provider drop-down box to select the AD FS instance that has been configured for your location
- Click 'Save'
- The next time this user attempts to sign in to Xakia, they will be redirected to AD FS to authenticate
Changes in user details
If an existing user's first name, last name, or email address changes in AD, note that this change is not immediately propagated to Xakia. This information is only updated in Xakia when the user signs in to Xakia again. In the meantime, Xakia will continue to use the user's old details.
Therefore, when a user's email address changes, they need to use their old email address to sign in to Xakia once. When this is done, their email address in Xakia will be updated to the new value, and from that point on, they can use their new email address to sign in to Xakia.
Consider the following example:
- A user exists in AD FS and in Xakia with the email 'firstname.lastname@example.org'
- In AD FS, the user's email changes to 'email@example.com'. Xakia still records the email as 'firstname.lastname@example.org' at this point in time
- When the user goes to sign in to Xakia, if they use 'email@example.com', Xakia will not recognize their account and they will not be able to log in
- The user must use 'firstname.lastname@example.org' in Xakia to sign in first
- When they successfully sign in once, their details including their email address will be updated in Xakia. At this point, Xakia now records the user's email as 'email@example.com'
- From here on, the user can sign in to Xakia using their new email address: 'firstname.lastname@example.org'
To deactivate users that are set up by AD FS, you can follow the steps in this article.