ADFS authentication
In newer implementations it's recommended to move to Authentication using OIDC
Jakamo ADFS login method is a convenient way to enable users to sign in to Jakamo, with their existing Active Directory credentials provided by their company, using Active Directory Federation Services (ADFS), a service that provides federated identity and access management. Jakamo ADFS is directly accessed from the login page thejakamo.com. Just type your email, and if ADFS configuration exists, you will automatically redirected to your ADFS service. In this document, you will learn:
- What ADFS is and how it works
- How to set up and configure ADFS for Jakamo
- How to test and troubleshoot ADFS for Jakamo
This document is intended for Jakamo administrators who want to enable ADFS authentication for their users. You should have a basic understanding of Active Directory, ADFS, and Jakamo before reading this document.
1. Overview
Using ADFS, Jakamo users can leverage their existing Active Directory accounts and passwords, and enjoy a seamless and secure single sign-on experience. ADFS also enables administrators to manage user access and identity across different applications and organizations. ADFS is a service that provides federated identity and access management for on-premises and cloud applications. ADFS can authenticate users with Active Directory or other sources, and issue security tokens that contain claims about the user’s identity and attributes. ADFS can also trust tokens from other identity providers, such as Azure AD or Azure B2C.
2. Steps to use ADFS authentication
- Register Jakamo as a relying party trust in the ADFS service, and specify the entity ID, reply URL, metadata URL, and login URL of the Jakamo. This will establish a federated trust relationship between the ADFS service and Jakamo, and enable the exchange of claims and tokens.
- Configure the authentication methods and policies for the ADFS service and the relying party trust, and select the primary and additional authentication factors that the users will be prompted for.
- Test the ADFS login method for Jakamo by accessing the Jakamo login URL and verifying that the users are redirected to the ADFS service for authentication, and then back to the Jakamo with the appropriate claims and tokens.
3. Jakamo ADFS addresses
The following table shows the Jakamo ADFS addresses for the demo and production environments. Note that these addresses may change depending on the environment and the version of the ADFS service, so please check them before using them.
4. Detailed technical process of Jakamo ADFS
- The client (browser) makes a GET request to Jakamo
- Jakamo checks if the user is authenticated, and if not, it redirects the user to AD FS
- AD FS performs Home Realm Discovery (HRD), which is a process of determining the user’s identity provider (IdP) based on their email domain or other criteria. AD FS then forwards the user to their own IdP, which is the Customer IdP in this case.
- The Customer IdP performs authentication and authorization (Authn/-z) of the user, which is the process of verifying the user’s identity and granting them access to the requested resource or service. The Customer IdP can use various methods and factors for Authn/-z, such as passwords, certificates, or multi-factor authentication.
- The Customer IdP returns the result of Authn/-z to AD FS, along with a security token that contains claims about the user’s identity and attributes. The security token is formatted using the Security Assertion Markup Language (SAML), which is a standard for exchanging authentication and authorization data between IdPs and relying parties.
- AD FS maps the incoming claims from the SAML token to the Jakamo-required claims, which are the claims that Jakamo expects to receive from the user. The mapping can involve transforming, filtering, or adding claims, depending on the configuration of the relying party trust between AD FS and Jakamo.
- Jakamo verifies the claims and the signature of the token, and authenticates the user. Authentication is the process of confirming the user’s identity based on the claims and the token issuer. Jakamo can also perform additional checks or actions, such as creating or updating the user account, assigning roles or permissions, or logging the event.
- Jakamo returns the user to the client, along with a session cookie (ADFS) or a token (Used in Azure B2C) that indicates that the user is logged in. The user can then access the Jakamo platform and its features, and enjoy a seamless and secure single sign-on experience.