SAML 2.0 Single Sign On Using Active Directory Federation Services (AD FS)
Your Protected Trust Encrypted Email organization can be configured to have users sign-in using a SAML 2.0-compatible identity provider, such as Active Directory Federation Services (AD FS), instead of a having a separate password. This guide is written for AD FS 2.1, however newer versions of AD FS and other identity providers should be similar.
To enable this functionality, an administrator for your organization must follow the steps below. For assistance, please contact the Protected Trust support team.
Step 1) Configure an Identity Provider in Protected Trust
-
Sign in at https://app.protectedtrust.com/dashboard as an administrator
-
From the Dashboard click Claimed Domains
-
Ensure that all of your domains are listed. If any are missing, contact our support team to have them added
-
From the Dashboard click Identity Providers > Configure New Identity Provider > Configure SSO with SAML 2.0
-
Enter the SAML federation metadata URL (e.g. https://sts.example.com/FederationMetadata/2007-06/FederationMetadata.xml)
-
In the field Smart URL, enter something unique to your company (such as your company name without spaces or punctuation)
-
Set Status set to Enabled (Not Primary)
-
Click Save
Step 2) Configure Relying Party in AD FS
-
Open the AD FS console
-
Click Relying Party Trusts (on the left)
-
Click Add Relying Party Trust… (on the right)
-
Click Start on welcome dialog
-
Select Enter data about the relying party manually and click Next
-
Enter a Display Name, such as “Protected Trust”, and click Next
-
Select AD FS profile and click Next
-
Do not select a token encryption certificate, just click Next
-
Check Enable support for the SAML 2.0 WebSSO Profile
-
Go back to the SSO settings in Protected Trust, and copy the value from Assertion Consumer Service Endpoint URL to the clipboard
-
Go to the AD FS console and paste this value into Relying party SAML 2.0 SSO service URL and click Next
-
Go back to the SSO settings in Protected Trust, and copy the value from Service Provider ID to the clipboard
-
Go back to the AD FS console and paste this value into Relying party trust identifier, click Add, then Next
-
Select Permit all users to access this relying party and click Next
-
On the Ready to Add Trust page, click Next
-
Ensure the Open the Edit Claim rules dialog checkbox is marked and click Close
-
Once the Edit Claim Rules dialog appears, click Add Rule on the Issuance Transform Rules tab
-
Select Send LDAP Attributes as Claims and click Next
-
Enter a Claim rule name such as “Name and Email Address”
-
Select Active Directory as the Attribute store
-
Add the following entries under Mapping of LDAP attributes:
a. E-Mail-Addresses → E-mail Address
b. Given-Name → FirstName (type manually)
c. Surname → LastName (type manually)
-
Click Finish
-
Click OK on the Edit Claim Rules dialog
Step 3) Test Sign In
-
Open a different browser or private browsing session and navigate to your Smart URL (e.g. https://app.protectedtrust.com/sso/YOUR-SMART-URL)
-
Follow the steps to sign in. If successful, continue to to Step 4) Enable for the Entire Organization when you’re ready
Step 4) Enable for the Entire Organization
-
Navigate back to the SSO settings page (Dashboard > Settings > Single Sign-On and User Sync -> Edit)
-
Change Status to Primary
-
Click Save
Administrator Tips
How to Bypass SSO Authentication
As an administrator, you can still sign in with the Protected Trust password you previously used, just in case single sign-on stops working for some reason:
-
Enter your email address
-
Click the password field and immediately press ESC on your keyboard to cancel the redirect
-
You can now enter your password and sign in to troubleshoot the SSO issue