Note
Since there are many different third party solutions available as identity providers, this guide can only provide an example of how to set up an identity provider. The example is only valid for the mentioned software in the mentioned version. This example may not be applicable to other versions of the same software. For information on setting up your identity provider, please refer to the product documentation or contact the manufacturer.
Contact the d.vinci Customer Service if you need technical support for the setup.
Metadata-XML
The identity provider and the service provider (d.vinci) exchange metadata based on XML files, which are therefore called metadata XML. To connect the two systems, you first need the identity provider's metadata XML file. This is provided by your identity provider.
Microsoft Active Directory Federation Services
This guide shows an example of how to link the service provider (d.vinci) to the identity provider Microsoft Active Directory Federation Services (AD FS) version 3.0 (Microsoft Windows Server 2012 R2). The metadata XML file for this solution is provided at the link below.
Import d.vinci Metadata XML to the Identity-Provider and Create a Rule
No configurations are necessary or possible in d.vinci. Simply download the d.vinci metadata XML file and forward it to your identity provider.
Each identity provider has its own process for this. In this example, you add the d.vinci metadata XML file to the identity provider ADFS mentioned above.
Proceed as follows:
- In d.vinci, open the Administration menu item.
- In the General Administration section, press the Basic Settings card.
- Activate the SSO tab.
- In the Service Provider Information card, press the link in the Service Provider Metadata XML field. Download the file.
- Open the ADFS Management application of your ADFS.
- Go to Relying Party Trust and press Add Relying Party Trust.
- Use the wizard to import the downloaded d.vinci metadata XML file into your ADFS.
In order for single sign-on to work, link the user account of your operating system (or the starting point for single sign-on) with the user account of the service provider (d.vinci). Set up the necessary transformation rules in the identity provider.
Assign an LDAP attribute in ADFS for the Name ID field of the service provider (d.vinci):
- In ADFS, open the window to edit or create claims.
- Select Active Directory in the Attribute Store field.
- Select NameID as the outgoing claim type.
- Select a LDAP attribute that you want to assign to the Name ID of the service provider (d.vinci) . This value must be the same as in d.vinci.
- Press OK to save all changes.
Change SamlResponseSignature
If you change your ADFS, plese do not forget to change the SamlResponseSignature as well.
Proceed as follows:
- Open the ADFS management.
- Find the display name of the Relying Party Trust Identifier of the Relying Party Trust.
- Open the Powershell console as administrator.
- Call the current settings by the following command, replacing our value of the -Name parameter with your own display name from step 2:
Get -AdfsRelyingPartyTrust -Name "ADFS-setup.dvinci.de" | select SamlResponseSignature
Depiction in the Powershell console:PS C:\Windows\system32> Get -AdfsRelyingPartyTrust -Name "Adfs-setup.dvinci.de" | selectSamlResponseSignature SamlResponseSignature --------------------- AssertionOnly
- Set the new setting by the following command, replacing our value of the -TargetName parameter with your own display name from step 2:
Set -AdfsRelyingPartyTrust -TargetName "ADFS-setup.dvinci.de" -SamlResponseSignature MessageAndAssertion
Depiction in the Poweshell console:PS C:\Windows\system32> Set -AdfsRelyingPartyTrust -TargetName "Adfs-setup.dvinci.de" -SamlResponseSignature MessageAndAssertion
- After the change, the new test should return the following result:
PS C:\Windows\system32> Get -AdfsRelyingPartyTrust -Name "Adfs-setup.dvinci.de" | select SamlResponseSignature SamlResponseSignature --------------------- MessageAndAssertion
Add IdP Metadata XML to d.vinci
Proceed as follows:
- In d.vinci, open the Administration menu item.
- In the General Administration section, press the Basic Settings card.
- Activate the SSO tab.
- In the Identity Provider Konfiguration card press . The Single Sign-on input form is displayed.
- In the Source field select the URL option to add the URL from which d.vinci is to request the metadata xml file of the identity provider. If you have already downloaed the file, select the File option and upload the file.
- For this example, enter https:/DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml in the IdP Metadata XML URL field. Replace "DOMAIN" with the server domain name of your identity provider.
- Press Update. d.vinci will receive the IdP metadata xml file and display all extracted information. The Basic Settings page is displayed with the active SSO tab.
The following information is extracted from the IdP metadata XML file and displayed in d.vinci:
- IdP Issuer / EntityID
A unique identification of the identity provider, usually
its URL. - IdP Post Binding URL
The URL, under which the identity provider will provide the single sign-
on service. - IdP X.509 Certificate