[How-to] Set up SSO for EZO and Microsoft ADFS – SAML 2.0

EZO supports Single Sign-On (SSO) logins through SAML 2.0 (ADFS server) in Premium plans and above.

This article explains how to configure the SSO integration of a self-hosted Active Directory Federation Services (ADFS) server and EZO.

A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (AD FS) server. AD FS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.

Contents
1. AD FS 2.0 benefits
2. Prerequisites
3. Configuration Installation Guide
4. Troubleshooting errors

AD FS 2.0 benefits

• Enables organizations to collaborate securely across Active Directory domains by using identity federation.
• Reduces the need for duplicate accounts and other credential management overhead by enabling federated SSO across organizations, platforms, and applications.
• Provides for identity delegation so that authorized applications can impersonate their users when they access infrastructure services, even when the original users do not have local accounts.
• Enables step-up authentication so that websites can easily request smart-card authentication for particular operations.

AD FS being standards-based service allows the secure sharing of identity information between trusted business partners or federated partners across an extranet. In simple words, AD FS is an easy way out of remembering credentials and following multiple times same authentication steps to sign-on in the same cloud solution.

Prerequisites

• Administrator level access to EZO.
• An Active Directory instance where all of your users under your account in EZO have an account, with exactly the same email address. We don’t create user accounts under SSO.
• A server running Microsoft Server 2012 or 2008.
• An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
• Before you begin, sign in to your EZO account twice – once in a regular browser window and once in a window with incognito mode. This is to ensure that you are still signed in to your account just in case you get locked out of your account in the other window.

Configuration Installation Guide

Click the image below to view our installation guide about how to configure EZO and Microsoft AD FS 2.0 for SSO.

Troubleshooting

Users cannot log in

In order for ADFS to pass a login through for authentication, a user’s email address must be present in the “E-mail” field of the General tab in their AD profile.

For more troubleshooting queries, please contact support@ezo.io.

Resources

• AD FS 2.0 Terminology
• Enable SSO using SAML in EZO

Have queries or feedback for us?

If you have any comments or questions regarding SSO integrations, drop us an email at support@ezo.io.