This document describes how to configure ADFS to connect to Tradeshift via SSO (SAML).
For troubleshooting existing connections, see ADFS Configuration Troubleshooting.
Open the Server Manager
Open the AD FS Management tool
Add Relying Party Trust
Select the option Claims aware
Select the option Enter data about the Relying party manually
Input a Display name (ie: Tradeshift)
Upload the SP encryption certificate (see above)
Check Enable support for the SAML 2.0 WebSSO protocol and input the SSO service URL https://accounts.tradeshift.com/saml/SSO/alias/saml
Relying party trust identifier: https://accounts.tradeshift.com.
Click Add and make sure the value is in the list before you proceed.
Accept the policy Permit everyone
Accept the defaults until the end of the wizard.
Right-click the Relying Party Trust you just created (i.e. Tradeshift), and click Properties
Under the Signature tab, click Add to upload the same certificate as for Encryption
Under the Advanced tab, select SHA-1 and click OK.
Right-click the Relying Party Trust (i.e. Tradeshift) and click Edit Claim Issuance Policy
Click Add Rule
Select the Claim rule template “Send LDAP Attribute as Claims”
Map the LDAP attribute you use for email addresses (the same one you would use for Tradeshift - UPN, Email, etc.) to the SAML field used on Tradeshift - this is how we find your user in Tradeshift.
Claim rule name: Tradeshift Claims
Attribute store: Active Directory
Map your LDAP attribute (e.g. User-Principal-Name) to 0.9.2342.19200300.100.1.3
E.g. If UPN is not your email address, make sure AD has your email under Email and create the following mapping: E-Mail-Addresses to 0.9.2342.19200300.100.1.3
Claim rule template: Send Claims Using a Custom Rule
Claim rule name: NameID Policy Transform
Custom rule: (copy-paste the following as one long line)
|c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "saml");|
Click Finish, then OK
Done. You can now start creating users.
Most common issues found during the configuration of ADFS IdPs.
The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier( IsReadOnly = False, Count = 1, Clause = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause)'. Ensure that the SecurityTokenResolver is populated with the required key.
Problem: missing signing certificate
Solution: See section above titled "Under the Signature tab, click Add to upload the same certificate as for Encryption"
The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: saml. Actual NameID properties: Format: urn: oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: . Problem: AuthnRequest NameIDPolicy attribute SPQualifierName mismatch
Problem: Transform rule to map the NameID policy is missing
Solution: See section above titled "Click Add Rule to add a NameID Policy transform rule"
The encryption/signing certificate of the relying party trust 'https://accounts.tradeshift.com' identified by thumbprint '1083C418421E2C234DEDA2AC8D7E5CAD0B2AF562' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
Problem: The encryption/signing certificate is not trusted
Solution: Turn off Certificate Revocation Check for Encryption and Signing certificates:
Open Powershell (Right-click > Run as an administrator, if needed)
Assuming the Relying Party Trust is named “Tradeshift”, copy-paste this command
|Set-ADFSRelyingPartyTrust -TargetName "Tradeshift" -EncryptionCertificateRevocationCheck None -SigningCertificateRevocationCheck None|