Using ADFS for SSO with Showpad

Showpad offers a SAML-based Single Sign-On (SSO) service that allows users to use their organization’s credentials to access Showpad. It eases your users' lives with fewer usernames and passwords, as there's only one account to remember. 

This article describes how you can set up SSO for Showpad using ADFS (Active Directory Federation Services) as the Identity Provider (IDP).

Key features

• Users can access Showpad with their Windows credentials
• Auto-provision & assign users to the right groups in Showpad
• Reduce security threats to sensitive data loss
• Centralized user, password, and authorization management

You need this to succeed

• Platform Enterprise on Showpad
• Available as an add-on on the Showpad Plus pricing plan
• Administrator access on both Showpad's Online Platform and your ADFS server
• Some ADFS knowledge can be useful
• Users available on your ADFS server

The quick way to awesomeness

1. Enable SSO in Showpad
2. Configure SSO with your ADFS server settings
3. Download the Showpad Metadata XML file
4. Add a Relying Party Trust on your AD FS server
5. Use the XML file downloaded from Showpad to import data about the relying party
6. Add an issuance Transform Rule with the name: UPN to Name ID
7. Send LDAP Attributes as Claims

Do this step by step

Showpad

1. Open Admin Settings, select Sign On and click Add Configuration.
2. Add a new SAML 2.0 configuration and give it a name.
3. Download the Showpad Metadata XML file that is generated after AD FS has been set up as IdP in the SSO setup of Showpad.

   Note: The Group Assignment Field should be the name of the ADFS claim. This claim's value can contain a comma-separated list.

ADFS

We do our best to stay up to date with the platforms Showpad can connect with, however, we're not informed when they change their procedures. To ensure accuracy, we recommend that you verify the following information directly with the platform:

• Add Relying Party Trust

  This establishes the trust between the Federation Service and Showpad.

  1. Open Server Manager, click Tools, and then select ADFS Management.
  2. In the Actions menu, click Add Relying Party Trust.
  3. On the Welcome page, select Claims aware and click the Start button.
  4. The Data Source page provides three different ways to obtain data, select Import data about the relying party from a file and use the XML file that you downloaded from Showpad, then click Next.
  5. Enter Showpad for the Display name, provide a description in Notes, and click Next.
  6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, then click Next.
  7. The Ready To Add Trust allows you to review your settings. Click Next.
  8. On the Finish page, click Close. This automatically displays the Edit Claim Rules dialog.
     
     
• Claim Rule

  The Edit Claim Rules dialog allows you to configure the mappings between LDAP Attributes in ADFS and the SAML claims that will be sent to Showpad during login.

  LDAP Attribute	Outgoing Claim Type	Notes
  User-Principal-Name	Name ID	Users in Showpad are identified by their email (their username). This reflects a best practice in most LDAP systems where the UPN is set to the same value as the email of the user. If the value of your UPN attribute is not set to an email, you will have to use another LDAP attribute that contains a unique email for the user to map onto the Name ID claim. This claim is always required.
  Given-Name	firstname	This claim is required for Auto-Provisioning.
  Surname	lastname	This claim is required for Auto-Provisioning.
  E-Mail-Addresses	email	This claim is required for Auto-Provisioning.

  There are two optional mappings that can also be configured:

  LDAP Attribute	Outgoing Claim Type	Notes
  Role	tablet or admin	If an unrecognized value is presented to Showpad, the default value of tablet will be used. This constitutes a normal user.
  Group	usergroups	This claim is used to automatically provision users into Showpad groups (see this article for more information). Showpad expects the value of this claim to be a comma-separated list of group names. During sign-on, Showpad will assign the user to the given list of groups. If the group does not exist, Showpad will create it. Note that the name of the LDAP attribute will be specific to your ADFS setup.