Set up SSO for Showpad with AD FS

Showpad offers a SAML-based Single Sign-On (SSO) service that allows users to access Showpad using their organization's credentials. This simplifies users' lives by requiring fewer usernames and passwords, as there is only one account to remember.

This article describes how you can set up SSO for Showpad using AD FS (Active Directory Federation Services) as the Identity Provider (IDP).

Key features

• Users can access Showpad with their AD FS account
• Auto-provision & assign users to the right groups in Showpad
• Reduce security threats to sensitive data loss
• Centralized user, password, and authorization management

You need this to succeed

The quick way

1. Enable SSO in Showpad.
2. Configure SSO with your AD FS server settings.
3. Download the Showpad Metadata XML file.
4. Add a Relying Party Trust on your AD FS server.
5. Use the XML file downloaded from Showpad to import data about the relying party.
6. Add an issuance Transform Rule with the name: UPN to Name ID.
7. Send LDAP Attributes as Claims.

Do this step by step

Note: We do our best to stay up to date with the platforms Showpad can connect with, however, we are not notified of any changes to their procedures. We recommend verifying information directly with the platform to ensure its accuracy.

1. In the AD FS Management tool, retrieve the AD FS metadata in either URL or XML form.
2. In your Showpad organization, click the gear icon to open the settings and navigate to the Sign On in the left menu.
3. Click Add Configuration, enter a name (e.g., AD FS SSO), and select the SAML 2.0 protocol in the dropdown menu. Click Next.
4. Paste the contents of the downloaded metadata XML in the Metadata XML field and choose SHA-256 as the Hash Algorithm. If preferred, you can enable auto-provisioning by ticking the corresponding checkbox. Click Save.
5. On the Sign-On overview page, click the info icon of your newly added configuration, and then click Download under the Showpad Metadata section.
   

   Note: The Group Assignment Field should be the name of the AD FS claim. This claim's value can contain a comma-separated list.

6. In AD FS, open the Server Manager, click Tools, and then select AD FS Management.
7. In the Actions menu, click Add Relying Party Trust.
8. On the Welcome page, select Claims aware and click Start.
9. The Data Source page provides three different ways to obtain data. Select Import data about the relying party from a file and upload the XML file you downloaded from Showpad, then click Next.
10. Enter Showpad for the Display name, provide a description in Notes, and click Next.
11. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, then click Next.
12. The Ready To Add Trust allows you to review your settings. Click Next.
13. On the Finish page, click Close.
14. This automatically displays the Edit Claim Rules dialog that allows you to configure the mappings between LDAP Attributes in AD FS and the SAML claims that will be sent to Showpad during login. Enter the following information:
    

    LDAP Attribute	Outgoing Claim Type	Notes
    User-Principal-Name	Name ID	Users in Showpad are identified by their email (their username). This reflects a best practice in most LDAP systems where the UPN is set to the same value as the email of the user. If the value of your UPN attribute is not set to an email, you will have to use another LDAP attribute that contains a unique email for the user to map onto the Name ID claim. This claim is always required.
    Given-Name	firstname	This claim is required for Auto-Provisioning.
    Surname	lastname	This claim is required for Auto-Provisioning.
    E-Mail-Addresses	email	This claim is required for Auto-Provisioning.
    Role	tablet or admin	If an unrecognized value is presented to Showpad, the default value of tablet will be used. This constitutes a normal user.
    Group	usergroups	This claim is optional. It is used to automatically provision users into Showpad groups (see this article for more information). Showpad expects the value of this claim to be a comma-separated list of group names. During sign-on, Showpad will assign the user to the given list of groups. If the group does not exist, Showpad will create it. Note that the name of the LDAP attribute will be specific to your AD FS setup.