Single Sign-On: ADFS

Moesif provides a single sign-on integration with Microsoft’s Active Directory Federation Services (ADFS).

In order to set up SSO with ADFS:

  • You must be an ADFS administrator
  • You must be on a Moesif enterprise plan with SSO enabled

Benefits of SSO

  • Improve security and regulatory compliance
  • Reduce IT costs through auto-provision and de-provisioning
  • Enforce policies like Multi-Factor Authentication (MFA), Password Reset, etc
  • Improve usability for employees

How SSO works

Moesif supports both identity-provider (IdP) initiated and service-provider (SP) initiated single sign-on. When IdP initiated, a user logs in through your IdP’s app directory. When SP initiated, a user logs in by entering their employee email on Moesif’s website. Because their email domain has SSO enabled, they will be redirected to your organization’s single sign-on page. Once enabled, team management and role-based access control (RBAC) is handled by your identity provider rather than within the Moesif application.

Home Realm Discovery

Moesif’s SSO implementation supports Home Realm Discovery. This means SSO is enforced for your entire company domain even if a new employee is not yet added to your Moesif organization. This ensures employees cannot bypass SSO such as by entering a username/password. It also reduces your IT burden as employees never have to decide on what type of login they should use as redirect is automatic as soon as they enter their email.

Policies

Once SSO is enabled:

  • Team members cannot log in with a username/password or social login (like GitHub).
  • Password reset is disabled.
  • Users can only be provisioned or de-provisioned by the IdP. You cannot modify team members within Moesif.
  • Role-based access control (RBAC) is synced from your identity provider and cannot be changed within Moesif.

Enterprise Single Sign-On is available only on enterprise plans

How to setup ADFS with Moesif

1. Adding relying party trust

Run the following two commands in the Windows PowerShell window.

(new-object Net.WebClient -property @{Encoding = [Text.Encoding]::UTF8}).DownloadString("https://raw.github.com/auth0/adfs-auth0/master/adfs.ps1") | iex
AddRelyingParty "urn:auth0:moesif" "https://auth.moesif.com/login/callback"

This script uses the ADFS PowerShell SnapIn to configure a Relying Party that will issue, for the authenticated user, the following claims: email, upn, given name, and surname.

2. Configuring custom roles

You can map Moesif’s custom role attributes to ADFS using a Claim issuance Policy. After your policy is set up, you can assign members to custom role groups using the Member of tab within the ADFS user properties window.

Select Replaying Party Trust

  1. Review Microsoft’s guide Create a Rule to Send Claims Using a Custom Rule.
  2. Within the AD FS console, select Relying Party Trusts from the left tree. On the right side, find the Moesif Trust just created.
  3. Right-click it and click Edit Claim Issuance Policy in the dropdown.
  4. Click Add Rule.
  5. Set Claim rule template to Send Claims using a custom rule.
  6. Click Next and give it a name like “Map groups to Moesif roles”
 c:[Type == "http://temp/variable"]
 => issue(Type = "https://www.moesif.com/saml/role", Value = c.Value)

3. Provide Moesif your Federated metadata

Your metadata for an ADFS federation typically located at https://<yourservername>/federationmetadata/2007-06/federationmetadata.xml. You will need to share your federated metadata URL with your account manager or Moesif support. Moesif will automatically poll the URL to look for changes (once a day) like a new signing certificate added to prepare for a rollover.

Once enabled

Any employee logging in with your company’s domain will automatically be redirected to the single sign-on page where they can click log in. All team management and role-based access control actions is done through your identity provider. Moesif automatically syncs user accounts.

Disabling SSO

An organization can disable SSO at any time by contacting their technical account manager. Once disabled, existing team members who already had an account prior to SSO can log in with their password. New users who were provisioned through SSO can reset their password to log in.

Updated: