This is a guide on how to configure the SAML IdP in Talent App Store with an Active Directory Federation Service (ADFS).
This guide is based on a fresh installation of Windows Server 2016, Active Directory, and ADFS 3.0.
Setting up the Talent App Store Relying Party Trusts
After you have downloaded the Talent App Store service provider metadata, you will create the Talent App Store Relying Party as “claim aware”:
Then import the metadata file:
Set your desired display name and access control policies. The configuration should be as follows:
When constructing the SAML assertion that an app will consume, Talent App Store will populate the nameID that you provide, and in addition you can add the following attributes:
The nameID is required, but the above attributes are not required.
The easiest method to add these (optional) attributes is to create new Claim Descriptions. The only important field is to set the Claim Identifier to be the tas.personal.* attribute you want to set e.g. for tas.personal.email you can configure it like so:
Once the claim descriptions have been added, edit the Claim Issuance Policy add a new LDAP Attributes rule configured to send emails as the above attribute, and set the nameID to an appropriate identifier (in this example it is the surname, however in most cases it should be set to the users email address or employee id):
Export your metadata
Should be available at (replace server with your ADFS hostname): https://server/FederationMetadata/2007-06/FederationMetadata.xml
Determine your signature digest and algorithm
In ADFS, under Service -> Certificates select your token-signing. View the certificate details where the “Signature algorithm” will by the “Signature algorithm” in TAS, and the “Signature hash algorithm” will be the “Signature digest” in TAS.
Determine if ADFS is encrypting assertions
Under the Relying Party Trusts properties for the Talent App Store service provider, check if the encryption tab has a certificate:
Installing the SAML IdP on Talent App Store
On your tenant’s storefront, navigate to Browse Apps -> Identity -> Sign in With SAML 2.0, then select on the “install new” button.
- Select the principal type (user in most cases)
- Choose a name which will appear when signing in
- Select a logo which will appear when signing in, please note this needs to be a .png file
- Paste your IdP metadata into the metadata field
- Select your signature algorithm
- Select your signature digest algorithm
- Check/uncheck if the assertions are encrypted
- Set the claim mappings to the value below (if you have added the claims mappings for tas.personal.*)
- Click install
Claim mappings (one line):