Integrating SAML with ADFS

Created: Knowledge Base

GroundControl Enterprise can be configured to use SAML 2.0 and authenticate users against your Active Directory system. This authentication will work both to the GroundControl admin console and to the Launchpad app. SAML keeps passwords internal to your network, making GroundControl more secure. At the same time SAML leverages single-sign on, providing a better login experience for users.

Active Directory is used only for user authentication. Authorization — that is, assigning users to GroundControl roles — is still handled within the GroundControl admin console. You can use the “Team” tab in Settings to add new users and assign them to a role. If a user has no role, then they will see an error when logging in with SAML. Alternatively, you may ask to have your account set up for automatic user creation, where new users are automatically assigned the role of “Launchpad Only”.

Using SAML 2.0, GroundControl takes the role of a Service Provider (“SP”) and your Active Directory takes the role of Identity Provider (“IdP”). No credentials are exchanged during the process. Instead, a trusted relationship is established between the two services.

Setting up GroundControl in ADFS

As a prerequisite, provide a copy of your SAML IdP metadata in XML format to support@groundctl.com. This is usually delivered as a URL. Then GroundControl will create a DNS alias for your company, such as “mycompany.groundctl.com”. This will be the host name you use for both admin console access and to configure Launchpads. Finally, GroundControl will send you a copy of our SAML SP metadata.

  1. Create a new Relying Party in ADFS, using the provided SP metadata.
  2. In Properties > Advanced, change the Secure Hash Algorithm from “SHA-256” to “SHA-1”.
    SHA-1
  3. Set up a single claim to map “E-mail Address” to “Name ID” as shown in the attached image.
    Claims

To test, visit your hostname, for example “https://mycompany.groundctl.com” and click “Login”. You should be redirected to an internal authentication page. If already signed in, the SSO authentication may be extremely brief. Once authenticated, your browser will redirect you back to GroundControl, and if you have an appropriate role you should be logged in.