Configuring ADFS for ZingHR with SAML 2.0

 

 

Here's how you can configure ADFS SAML SSO for your users.

 

Step 1: On your ADFS Server, Open up AD FS Management.



Step 2: Right click on Relying Party Trusts and select Add Relying Party Trust. This will launch the Add Relying Party Trust Wizard.




 

Step 3: In the Select Data Source step, choose Enter data about the relying party manually.




 

Step 4: Enter a Display name and click Next.



 

 

Step 5: Choose AD FS profile with SAML 2.0 and click Next.





Step 5: Click Next on the Configure Certificate screen without choosing any certificates.


 

Step 6: Select Enable support for the SAML 2.0 SSO Web SSO protocol.


 

Step 7: Enter any one of the below URL as per your requirement (UAT or Live) and click Next.

 

ClientUAT :

 

https://clientuat.zinghr.com/SAML/Pages/Callback.aspx?sub={CompanyCode}

 

Production:

 

https://portal.zinghr.com/SAML/Pages/Callback.aspx?sub={CompanyCode}

 

Note: Replace {ComapanyCode} with your actual company code.

 

Example: ABCUAT for (ClientUat) or ABC for (production)




Step 8: Add a Relying party trust identifier and click Next.

 

ClientUAT : https://clientuat.zinghr.com/SAML/Auth/Signin/{CompanyCode}


Production: 
https://portal.zinghr.com/SAML/Auth/Signin/{CompanyCode}






Step 9: Click Next on until you reach the Finish screen.


 

Step 10: Choose to Open the Edit Claim Rules dialog before clicking finish to edit further configuration. This will launch the Edit Claim Rules window.

 






























































































Step 11: Click on Add Rule and Choose Claim Rule as Send LDAP Attributes as Claims.





Step 12: Select Send LDAP Attributes as Claims






Step 13: You can add the Outgoing claim Type as shown in the image here.






Step 14: Click Finish.

 

ZingHR uses Email of the user as a login ID. In order for this to work, you need to set up the Email as the NameID on the SAML login request. This can be achieved by setting up a Transform Rule.

 


Step 15: Click Add Rule again, choose Transform an Incoming Claim and click Next.





Step 16: Setup Email ID to be sent as NameID as shown below and click Finish and Click Apply on next window.




 

Step 17: On the AD FS Management window, right click on the Relying Party for ZingHR and choose properties. Under the Advanced tab, choose SHA­­256 as the Secure hash Algorithm.

 

































































Step 18: On the AD FS Management Window, choose Services -> Certificates and double click on Token Signing Certificate, which will give you an option "copy to file". By doing this, you will be able to export the X509 certificate from the raw file.







Step 19:

Go on your ADFS server :
1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > <your party trust> properties
2. Under the Endpoints tab, click Add
3. Endpoint Type = SAML Logout, Binding = POST, URL = https://adfs.yourcompany/adfs/ls/?wa=wsignout1.0
4. Save and test.





After finishing all above steps please share following details with ZingHR.

 

 

 

  • 3. IDP X509 Cert : Exported from above step no. 18

 

Please perform below steps on ZingHR portal

 

Step 1: Go to Setup Circle à Portal à SSOà Setting(Icon) à Select SSO Type (SAML 2.0)à Submit







Step 2: Once the screen is reloaded, click on settings icon available on SAML widget.






Step 3: Enter the IDP SSO URL, IDP ISSUER URL, Upload the certificate and submit. You can also mention logout url incase if you wish user to be redirected to the specific URL after logging out from ZingHR.






Once you have finished all above steps, please follow below document for mapping users with ZingHR.

 

ADFS/AzureAD/Gmail/SAML 2.0 SSO UserID Mapping with ZingHR