Laurel

Laurel requires our customers and users to login with an SSO provider. This article provides the steps required to setup ADFS as a login method into Laurel services.

Adding Laurel as a relying party trust

These instructions are for Windows Server 2016, but the process is similar for other Windows Server versions.

Ensure the ADFS Management console is open

Right click "Relying Party Trust" and select "Add Relying Party Trust..."

Select "Enter data about the relying party manually"

Set the "Display Name" to "Laurel" (or an equivalent identifier) and provide notes if applicable.

Skip the optional certificate configuration for the claims

Check "Enable support for the WS-Federation Passive protocol," and input the following URL:

1. <a href="https://auth.prd.timeautomation.com/login/callback" rel="nofollow noopener noreferrer" target="_blank">https://auth.prd.timeautomation.com/login/callback</a>

In "Relying party trust identifier" input <code>urn:auth0:lrl-id-prd</code> and click "Add"

Advance through the next two sections and leave all settings as default including "permit all users..." for the access control policy.

1. Laurel has additional access controls which means while all users may be permitted, if they are not enabled within Laurel they will not have access. 

Finish and ensure "configure claims issuance policy for the application" is checked.

1. Ensure the ADFS Management console is open
2. Right click "Relying Party Trust" and select "Add Relying Party Trust..." 
 relying2.PNG
3. Select "Claims Aware" 
 relying.png
 
4. Select "Enter data about the relying party manually" 
 relying3.PNG
 
5. Set the "Display Name" to "Laurel" (or an equivalent identifier) and provide notes if applicable. 
6. Skip the optional certificate configuration for the claims
7. Check "Enable support for the WS-Federation Passive protocol," and input the following URL:
 1. <a href="https://auth.prd.timeautomation.com/login/callback" rel="nofollow noopener noreferrer" target="_blank">https://auth.prd.timeautomation.com/login/callback</a> 
8. In "Relying party trust identifier" input <code>urn:auth0:lrl-id-prd</code> and click "Add"
9. Advance through the next two sections and leave all settings as default including "permit all users..." for the access control policy. 
 1. Laurel has additional access controls which means while all users may be permitted, if they are not enabled within Laurel they will not have access. 
10. Finish and ensure "configure claims issuance policy for the application" is checked.

Click "Add Rule..." under the "Edit Claim Issuance Policy for Laurel"

Set "Claim rule template" to "Send LDAP Attributes as Claims"

Match Claim Configuration as follows, and ensure to update Claim Rule Name to "Laurel Claims"

Set "Attribute store" to "Active Directory"and update "Mapping of LDAP attributes to outgoing claim types" as follows:

1. E-Mail-Addresses →E-Mail Address
2. Display-Name →  Name
3. User-Principal-Name →  Name ID
4. Given-Name →  Given Name
5. Surname →  Surname

1. Click "Add Rule..." under the "Edit Claim Issuance Policy for Laurel"
2. Set "Claim rule template" to "Send LDAP Attributes as Claims"
 claims_3.PNG
 
3. Match Claim Configuration as follows, and ensure to update Claim Rule Name to "Laurel Claims" 
4. Set "Attribute store" to "Active Directory"and update "Mapping of LDAP attributes to outgoing claim types" as follows:
 1. E-Mail-Addresses →E-Mail Address
 2. Display-Name → Name
 3. User-Principal-Name → Name ID
 4. Given-Name → Given Name
 5. Surname → Surname
5. Select "Finish"

Submitting your FederationMetadata

Please submit a support ticket with TBP with the following information:

Your FederationMetadata.xml file (includes public certificate and endpoints)

A complete List of Users that require access Laurel: Format this list as follows firstName, lastName, emailAddress format (ie. Ryan, Alshak, <a href="mailto:ryan.alshak@laurel.ai" rel="nofollow noopener noreferrer" target="_blank">ryan.alshak@laurel.ai</a>)

1. Your FederationMetadata.xml file (includes public certificate and endpoints) 
2. A complete List of Users that require access Laurel: Format this list as follows firstName, lastName, emailAddress format (ie. Ryan, Alshak, <a href="mailto:ryan.alshak@laurel.ai" rel="nofollow noopener noreferrer" target="_blank">ryan.alshak@laurel.ai</a>)

You can usually find your <code>FederationMetadata.xml</code> at <a href="https://yourdomain.extension/federationmetadata/2007-06/federationmetadata.xml" rel="nofollow noopener noreferrer" target="_blank">https://yourdomain.extension/FederationMetadata/2007-06/FederationMetadata.xml</a>. If that is not the right endpoint, please check your ADFS endpoints to verify the metadata URL Path.

If you have additional questions or require assistance, please reach out to your Laurel solutions team or account manager.

Adding Laurel as a relying party trust

Configuring claims

Submitting your FederationMetadata