SSO with Microsoft AD FS – internal network only

Warning
Use this manual only if you cannot use the default and recommended method for configuring Microsoft AD FS for Zivver.

Configuring SSO using the method described in this manual causes SSO to stop working when your AD FS certificate expires. After expiration, you must manually update the AD FS metadata in Zivver.

Configuring SSO using this method also prevents users from logging in to Zivver outside your internal network. This may cause login issues when, for example, working from home.

Introduction

Zivver supports Single Sign-On (SSO) via Microsoft AD FS, allowing users to log in to Zivver with their workplace credentials. This manual shows how to set up SSO as a Zivver administrator.

SSO works based on Security Assertion Markup Language (SAML) v2.0; in this scenario, Microsoft AD FS acts as the Identity Provider (IdP), and Zivver acts as the Service Provider (SP).

To activate SSO in Zivver, you need the following:

  1. You are a Zivver administrator.
  2. You have access to the AD FS management console on the AD FS server.
Note
This page only describes the steps to set up SSO in Zivver for AD FS accessible only from an internal network. For all other required steps, please see SSO with Microsoft AD FS.

Set up SSO in Zivver using the alternate method

  1. Log in to the Zivver WebApp.
  2. Click Organization Settings.
  3. Expand User administration.
  4. Click Single Sign-on.
  5. Select Manually.
    The following steps help you retrieve the SAML metadata from AD FS so you can paste it in the Zivver WebApp.
  6. Log in to your AD FS server.
  7. Open a browser.
  8. Enter the URL of AD FS, followed by /FederationMetadata/2007-06/FederationMetadata.xml.
    Example: https://adfs.organisation_domain.tld/FederationMetadata/2007-06/FederationMetadata.xml.
    Modern browsers automatically save a file named FederationMetadata.xml. In IE11, you can save the page as an .xml file using Ctrl + S.
Tip
Use the PowerShell cmdlet Get-AdfsEndpoint -AddressPath "/FederationMetadata/2007-06/FederationMetadata.xml" to find your AD FS metadata URL.
The URL will typically look like: https://adfs.organisation_domain.tld/FederationMetadata/2007-06/FederationMetadata.xml
  1. Open the FederationMetadata.xml file in Notepad.
    Opening it in Notepad is important because you need the metadata as plain text.
  2. Select and copy the full content of the .xml file.
  3. Go back to the Single Sign-on page in Zivver.
  4. Paste the full content into the text box under Identity Provider’s .XML.
  5. Click .
  6. At the top of the page, click .
Note
Zivver is now configured to work with Single Sign-On; however, AD FS has not yet been configured to handle incoming authentication requests from Zivver. When SSO is enabled in the Zivver admin panel, Zivver will only authenticate users via the Identity Provider. This may cause login problems for users created before SSO is fully configured. Users will remain logged in and will not be logged out when you toggle SSO on or off. Zivver administrators can always log in to Zivver with a username and password, even if AD FS is not yet configured to work with Zivver.
  1. Click under Zivver metadata URL. You can use this URL in the next steps.
    Zivver is now set up to work with Single Sign-On. The next and final step is to adjust the settings in the AD FS Management Console.

Continue with the steps in SSO with Microsoft AD FS.