Note  

Since there are many different third party solutions available as identity providers, this guide can only provide an example of how to set up an identity provider. The example is only valid for the mentioned software in the mentioned version. This example may not be applicable to other versions of the same software. For information on setting up your identity provider, please refer to the product documentation or contact the manufacturer.


Contact the d.vinci Customer Service if you need technical support for the setup.


Metadata-XML

The identity provider and the service provider (d.vinci) exchange metadata based on XML files, which are therefore called metadata XML. To connect the two systems, you first need the identity provider's metadata XML file. This is provided by your identity provider.


Microsoft Active Directory Federation Services

This guide shows an example of how to link the service provider (d.vinci) to the identity provider Microsoft Active Directory Federation Services (AD FS) version 3.0 (Microsoft Windows Server 2012 R2). The metadata XML file for this solution is provided at the link below.


Import d.vinci Metadata XML to the Identity-Provider and Create a Rule

No configurations are necessary or possible in d.vinci. Simply download the d.vinci metadata XML file and forward it to your identity provider.

Each identity provider has its own process for this. In this example, you add the d.vinci metadata XML file to the identity provider ADFS mentioned above.


Proceed as follows:

  1. In d.vinci, open the Administration menu item.
  2. In the General Administration section, press the Basic Settings card.
  3. Activate the SSO tab.
  4. In the Service Provider Information card, press the link in the Service Provider Metadata XML field. Download the file.
  5. Open the ADFS Management application of your ADFS.
  6. Go to Relying Party Trust and press Add Relying Party Trust.
  7. Use the wizard to import the downloaded d.vinci metadata XML file into your ADFS.


In order for single sign-on to work, link the user account of your operating system (or the starting point for single sign-on) with the user account of the service provider (d.vinci). Set up the necessary transformation rules in the identity provider.


Assign an LDAP attribute in ADFS for the Name ID field of the service provider (d.vinci):

  1. In ADFS, open the window to edit or create claims.
  2. Select Active Directory in the Attribute Store field.
  3. Select NameID as the outgoing claim type.
  4. Select a LDAP attribute that  you want to assign to the  Name ID of the service provider (d.vinci) . This value must be the same as in d.vinci.
  5. Press OK to save all changes.


Change SamlResponseSignature

If you change your ADFS, plese do not forget to change the SamlResponseSignature as well.

Proceed as follows:

  1. Open the ADFS management.
  2. Find the display name of the Relying Party Trust Identifier of the Relying Party Trust.
  3. Open the Powershell console as administrator.
  4. Call the current settings by the following command, replacing our value of the -Name parameter with your own display name from step 2:
    Get -AdfsRelyingPartyTrust -Name "ADFS-setup.dvinci.de" | select SamlResponseSignature
    Depiction in the Powershell console:
    PS C:\Windows\system32> Get -AdfsRelyingPartyTrust -Name "Adfs-setup.dvinci.de" | selectSamlResponseSignature

SamlResponseSignature
---------------------
AssertionOnly
  5. Set the new setting by the following command, replacing our value of the -TargetName parameter with your own display name from step 2:
    Set -AdfsRelyingPartyTrust -TargetName "ADFS-setup.dvinci.de" -SamlResponseSignature MessageAndAssertion
    Depiction in the Poweshell console:
    PS C:\Windows\system32> Set -AdfsRelyingPartyTrust -TargetName "Adfs-setup.dvinci.de" -SamlResponseSignature MessageAndAssertion
  6. After the change, the new test should return the following result:
    PS C:\Windows\system32> Get -AdfsRelyingPartyTrust -Name "Adfs-setup.dvinci.de" | select SamlResponseSignature

SamlResponseSignature
---------------------
MessageAndAssertion


Add IdP Metadata XML to d.vinci

Proceed as follows:

  1. In d.vinci, open the Administration menu item.
  2. In the General Administration section, press the Basic Settings card.
  3. Activate the SSO tab.
  4. In the Identity Provider Konfiguration card press  . The Single Sign-on input form is displayed.
  5. In the Source field select the URL option to add the URL from which d.vinci is to request the metadata xml file of the identity provider. If you have already downloaed the file, select the File option and upload the file.
  6. For this example, enter https:/DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml in the IdP Metadata XML URL field. Replace "DOMAIN" with the server domain name of your identity provider.
  7. Press Update. d.vinci will receive the IdP metadata xml file and display all extracted information. The Basic Settings page is displayed with the active SSO tab.


The following information is extracted from the IdP metadata XML file and displayed in d.vinci:

  • IdP Issuer / EntityID
    A unique identification of the identity provider, usually
    its URL.
  • IdP Post Binding URL 
    The URL, under which the identity provider will provide the single sign-
    on service.
  • IdP X.509 Certificate


Caution

SSO certificates are time-limited. If you do not renew an expiring certificate in time, all users will be excluded from the system. To renew the certificates, simply download an up-to-date metadata XML file from your identity provider and update the existing file in d.vinci.