Skip to content

How do I configure ADFS to work with Nanitor?

Introduction

Nanitor already supports SAML authentication, the Nanitor side of which is documented here. Using ADFS is similar, but the differences are documented in this article.

How to setup ADFS server is out of scope in this document. Here we only show how to connect Nanitor and ADFS.

ADFS side of things

After importing the identity provider from Nanitor into ADFS from the metadata file, there are a few other things we need to do on the ADFS side of things.

Relying Party Trusts

In ADFS go to Relying Party Trusts and click Edit Claim Issuance Policy. There we need to create two Issuance Transform Rules.

emailnameid

This image shows the first relaying issuance policy which we need to create using the Transform an incoming Claim template.

fullname

This image shows the second relaying issuance policy which we need to create using the Send LDAP attributes as Claims template.

Claims Provider Trusts

In ADFS go to Claims Provider Trusts and click Edit Claim Rules. There we need to create one Claim Rule.

emailmapper

This image shows the claim rule which we need to create using the Send LDAP attributes as Claims template.

Nanitor side of things

In our example we use adfs2.nanitor.net and in System Management -> SAML Identity Providers use https://adfs2.nanitor.dev/FederationMetadata/2007-06/FederationMetadata.xml as the Metadata URL.

Then, in Organization management -> Users -> SAML permissions, map the Identity Provider to to a permission.

Active Directory users

All AD users to sign in need to have Email Address field set for every user that wants to log in.

After

After this has been done the ADFS connection should work fine.