Thanks platform can be integrated with Active Directory Federation Services (ADFS) for managing user authentication. This makes it easier for users to sign into both the web and mobile apps using the same single sign-on (SSO) credentials they use for ADFS.

You need to have an AD subscription with admin rights and Thanks platform admin rights to activate the SSO. Also users need to have unique Email/Employee code to enable the service.

How To Setup

Prerequisites

The client ADFS Server should have SAML 2.0 support to enable SSO

• Microsoft Server 2012 R2 with ADFS 3.0 and SAML 2.0.
• Admin rights for your ADFS server and Thanks platform.
• Unique identifier for users (either email or employee-id).

Implementation

Before ADFS will allow federated authentication (i.e., SSO) for an external system, you must set up a Relying Party Trust. To set up the relying party download the metadata file from Thanks platform and complete creation of the relying party and setup in the platform.

Step 1 : To download the Thanks platform metadata file

• Login to the Thanks application.
• On the left side of the page, click > Integrations > Login SSO > Manage Now > Metadata.
• Click the download option to download the metadata file.
• It will download the metadata XML file to complete the setup of the relying party.

Step 2 : To create a relying party

Once the configuration completed, copy your metadata file and move to next step.

Step 3 : To complete the setup

• Login to the Thanks application.
• On the left side of the page, click Admin > Integrations > Manage SSO > Add New SSO Config.
• In the SSO Name field, enter a name to recognize the integration. This is for internal understanding purpose.
• In the Time Offset field enter the time in seconds for example 60/120 which will be used to allow time difference between client-server and Thanks server for authorization purposes. If the time difference greater than the offset, authentication would fail. For security reasons keep it under 180 seconds i,e; 3 minutes.
• The Debug Mode field can be checked during the testing period before going live so thanks team can check the detailed log in case any error comes and help you to debug for to complete the configuration.
• The IDP Indicator field can be checked if the client wants to enable identity provider based SSO. by default, it would be SP (service provider initiated).
• In the Authentication Type field select either Email/Employee Id based on the unique filed in your active directory.
• In the SSO Type field, select the IDP provider name as ADFS.
• In the Remarks, field add some description regarding the integration/project for which the SSO is enabled.
• In the Upload Type field, you can select the approach through which you want to upload the Federation metadata file.
• In the Manually type option open your federation metadata file and copy the below fields.
  • Entity ID
  • Single SignOn URL
  • Artifact Resolution URL
  • Signing Certificate
  • After adding the above fields click Save to complete the configuration
• In the XML file option
  • Click on Add a File option to upload your federation metadata file
• In the XML URL type option
  • Copy your federation metadata file URL form the server and add in the Enter XML URL filed

• Once the setup is complete, you can track previous configurations from SSO history tab.