SSO setup - ADFS (SAML 2.0)

Fill out this contact form to trial or subscribe to the SSO feature.

Splashtop now supports logging in my.splashtop.com and Splashtop Business app using the credential created from your SAML 2.0 identity providers. Please follow the below instructions to create a Relying Party Trust with AD FS.

Create a Relying Party Trust with AD FS

Follow Microsoft document to create a Relying Party Trust, please check only To create a claims aware Relying Party Trust manually section:
https://docs.microsoft.comwindows-server/identity/ad-fs/operations/create-a-relying-party-trust

Follow steps 1 to 6 in the document. (Select AD FS 2.0 Profile)

At step 7, Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol checkbox. Under Relying party SAML 2.0 SSO service URL, type "https://my.splashtop.com/sso/saml2/adfs/acs", then next.

adfs_en-us.png

At step 8, Configure Identifiers page, add https://my.splashtop.com and https://my.splashtop.com/sso/saml2/adfs/metadata.

Note: no "/" at the end of these paths
adfs2_en-us.png

Add a claim

1. Select the Relying Party Trust you just created, click Edit Claim Insurance Policy.

2. Click Add rule, select Send LDAP Attributes as Claims, then next.

adfs3_en-us.png

3. Select Active Directory as Attribute store, then add E-Mail-Address and User-Principal-Name.
E-Mail-Address: E-mail Address
User-Principal-Name: Name ID 

adfs4_en-us.png

Add another claim

1. Add another rule with Claim rule template Transform an Incoming Claim.
adfs5_en-us.png

2. Set up Name ID.
Incoming claim type: E-mail Address
Outgoing claim type: Name ID
Outgoing name ID format: Email 

adfs6_en-us.png

Troubleshooting

If you get this error message when trying to login, please check the ADFS logs.

adfs7_en-us.png

If you have a similar error in your ADFS log below, please remove the mapping between “User-Principal-Name” and “Name ID” from Send LDAP Attributes as Claims.

Exception details:

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.DuplicateNameIdentifierPolicyException: MSIS3046: More than one SamlNameIdentifierClaimResource-based claim was produced after processing policy for scope 'https://my.splashtop.com'.

at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)

at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)

at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)

at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List`1 additionalClaims)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

 

Apply for an SSO method from my.splashtop.com

Now you can follow the instruction to insert required info to apply for an SSO method:
https://support-splashtopbusiness.splashtop.com/hc/articles/360038280751

Note: 

a. You should have your own login URL and Issuer to insert on my.splashtop.com.
Example (Note: http versus https for your URL):
adfs8_en-us.png
b. Follow below instructions to get your X.509 info to insert on my.splashtop.com.

Click Service -> Certificates -> View Certificate on the Action menu on the right side. (You should already installed IIS with your certificate.)
Click Details on the Certificate window, and then click Copy to File”4, and choose Base-64 encoded X.509.

adfs9_en-us.png

Right-click on the exported certificate, then copy the info to paste in the corresponding field on my.splashtop.com.
adfs10_en-us.png

adfs11_en-us.png

 

0 out of 0 found this helpful