Microsoft AD FS

The following steps describe how to configure SAML SSO in Active Directory Federation Services (AD FS).

Download the SSO settings for your iManage environment

Before you begin, download the settings in XML format for your iManage environment. These settings are used to configure the Microsoft Active Directory Federation Server (AD FS) SSO settings for your iManage environment.

In iManage Control Center, navigate to Network & Security > Authentication & SSO, then select Download XML.

Figure: Download XML option in iManage Control Center

images/download/attachments/125061212/image2021-8-4_8-47-28.png

Configure SSO in Microsoft AD FS

Complete the following steps in Microsoft AD FS to configure single sign-on for iManage users.

For more information, see the following Microsoft article: Create a Relying Party Trust.

NOTE:

The instructions may vary based on your version of Microsoft Windows Server.

  1. In Server Manager, select Tools, and then select AD FS Management.

  2. Under Actions, select Add Relying Party Trust.

    NOTE:

    When migrating from the Identity Provider (Legacy) SAML SSO to the Service Provider (Recommended) SAML SSO configuration in iManage Control Center, we recommend that you do not modify an existing Relying Party Trust. Creating a new Relying Party Trust enables you to preserve your existing SSO application and roll back to it if the need arises.

  3. Complete the steps in the To create a claims aware Relying Party Trust manually section using the following selections:

    1. On the Welcome page, select Claims aware and select Start.

    2. On the Select Data Source page, select Import Data about the replying party from a file.

    3. Select Browse, then locate and select the XML file you downloaded from iManage Control Center.

    4. Select Next.

    5. On the Specify Display Name page, enter a descriptive name in the Display name field—for example, iManage, and then select Next.

    6. On the Choose Access Control Policy page, select the access control policy required for your configuration, such as Permit Everyone, and then select Next.

    7. On the Ready to Add Trust page, review your relying trust configuration settings, and then select Next.

    8. On the Finish page, select Configure claims issuance policy for this application, and then select Close.
      The Edit Claim Issuance Policy for <server> window opens.

    9. On the Edit Claims Issuance Policy for iManage page, select Add Rule.

    10. Choose Send LDAP attributes as claims, and select Next. The Add Transform Claim Rule Wizard appears.
      Figure: Add Transform Claim Rule Wizard

      images/download/attachments/125061212/image2021-8-4_15-58-54.png
    11. In the Add Transform Claim Rule Wizard, select Next.

    12. In the Configure Claim Rule step, enter or select the following information:

      1. In Claim rule name, enter Name.

      2. In Attribute Store, select Active Directory.

      3. In the Mapping section, select:

        • LDAP Attribute: SAM-Account-Name
          This value must match the format of your iManage user IDs in iManage Control Center.

        • Outgoing Claim Type: Name ID
          Figure: Configure Claim Rule
          images/download/attachments/125061212/image2021-8-4_16-6-13.png

    13. Select Finish.

    14. Select Save and then select Apply.

  4. Navigate to AD FS > Service > Endpoints.

  5. Locate and select the entry for the Federated metadata.
    Figure: Federated Metadata

    images/download/attachments/125061212/image2021-8-4_16-10-41.png
  6. In a browser, enter the URL for your Windows Server followed by the path shown for the federated metadata—for example:
    https://<server_name>/federationmetadata/2007-06/FederationMetadata.xml
    The XML file is displayed in your browser.

    NOTE:

    Do not use Internet Explorer. Internet Explorer does not allow you to save the displayed XML as an XML file.

  7. To save the displayed XML as a file, right-click in your browser, and select Save As.

  8. Enter a file name and select Save.

  9. Import the Federated Metadata XML file into iManage Control Center by returning to iManage Control Center and completing the steps in Authentication & SSO.
    Note that any users who were actively signed in to iManage Work when this configuration change occurs will receive an error message "SAML Login Error - logout_not_success" if they attempt to sign out of iManage. This is expected behavior for this one time only. After launching a new browser, signing in or out of iManage will not trigger this error message.

Configure AD FS to sign the SAML response and assertion

To configure AD FS to sign both the SAML response and assertion:

  1. Open Powershell.

  2. Run the following command, and replace <relaying party display name> with the display name you configured in step 3.e in Configure SSO in Microsoft AD FS.

    Set-ADFSRelyingPartyTrust -TargetName <relaying party display name> -SamlResponseSignature “MessageAndAssertion”

    For example:

    Set-ADFSRelyingPartyTrust -TargetName iManage -SamlResponseSignature “MessageAndAssertion”

  3. Run the following command, and replace <relaying party display name> with the display name you configured in step 3.e in Configure SSO in Microsoft AD FS.

Set-ADFSRelyingPartyTrust -TargetName <relaying party display name> -SigningCertificateRevocationCheck None

For example:

Set-ADFSRelyingPartyTrust -TargetName iManage -SigningCertificateRevocationCheck None

Troubleshooting

If single sign-on is not performing as expected, review the AD FS logs for errors.

Open Event Viewer and navigate to Applications and Services Logs > AD FS > Admin.