MangoApps supports single sign-on (SSO) logins through SAML 2.0. A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials. The steps to configure ADFS in MangoApps are briefly explained here;
1. Login to MangoApps and navigate to the admin portal then click on Integration -> Single Sign-on -> SAML
2. Click on the check box “Allow SAML based federated login for the domain?”, select ADFS from the list of providers and enter the values stated below from your identity provider i.e. ADFS in this case.
3. To use ADFS to log in to your MangoApps instance, you need the following components:
- A Microsoft ADFS instance with SAML 2.0 support where all users have an email address attribute.
- An x.509 certificate to sign your SAML requests and the fingerprint for that certificate.
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article.
When you have a fully installed ADFS installation, note down the value for the ‘SAML 2.0/W-Federation’ (SAML SSO) URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be your ADFS server URL followed by ‘/adfs/ls/’ e.g. fs.example.com/adfs/ls/
You also need to configure your MangoApps instance to authenticate using SAML. You’ll use your full ADFS server URL with the SAML endpoint as the SSO URL, and the logout endpoint you created as the remote logout (SAML SLO) URL. The fingerprint will be the fingerprint of the certificate installed in your ADFS instance.
Frequently Asked Questions
Q: What if you are using ADFS 2.0 with Windows Authentication
A: We have a separate help article for that. How do I Integrate ADFS 2.0 with Windows Authentication
Q: What is the federation metadata address (hostname or URL) for Mango Apps?
A: We do not have a federation metadata published, you need to create a Relying Party Trust in your ADFS server and then put the metadata of your ADFS server in MangoApps.
MangoApps will read that meta data and configure it.
Q. What is the “Relying Party Identifier” used for for MA?
A: It should be “https://<your domain name>.mangoapps.com/saml/consume”
Q: What is the SAML assertion consumer end point to be set ?
A: It should be “https://<your domain name>.mangoapps.com/saml/consume” and binding should be “POST”
Q: What are the claim rules to be set ?
A: You need to use LDAP Attribute “E-Mail Address” as “NameID” as Outgoing claim type by transforming the incoming claim.
Please follow the screenshots here;