You can use your Microsoft Active Directory (AD) as the identity provider (IdP) for your enterprise users to sign in to Aternity via SSO with their network username and password. Single Sign-On (SSO) brings the most secure access to Aternity by bypassing Aternity's sign in screen, and authenticating with your enterprise's chosen identity provider (IdP) just once using passwords, two-factor authentication (2FA), or even biometrics. Every time you access Aternity as an SSO user, it automatically reroutes you securely to the IdP, and then after authentication, it routes you back to your Aternity home page as a signed in user.

• Sign In To The Enterprise Identity Administration Console

SSO uses the secure SAML 2.0 protocol to delegate the entire authentication process to the IdP. To act as an SSO IdP, AD requires an additional module called Active Directory Federation Services (AD FS). Aternity's SSO supports AD FS 2.0 or 3.0. Use Active Directory as your identity provider for SSO access.

Follow the procedure in. When creating the relying party trust, use these settings and parameters in the wizard: Field Description Welcome page (AD FS 3.0 only) Select Claims Aware to ensure it can receive requests from Aternity SSO for authentication and identification. Select Data Source Select Enter data about the relying party manually, so that you can enter details about the relying party ( Aternity SSO).

Sign In To The Enterprise Identity Administration Console

Choose profile (AD FS 2.0 only) Select AD FS profile. Aternity SSO does not support the AD FS 1.0. Configure Certificates Accept the default settings. Change these settings only if you want to encrypt the requests ('claims') to AD FS for identification and authentication. Configure URL Select Enable Support for the SAML 2.0 WebSSO protocol, as this is the protocol which Aternity uses for its SSO implementation. Relying party SAML 2.0 service URL Enter the URL to send back to Aternity after a user authenticated with the AD FS, (also known as the SP consumer URL).

Use the following format: For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at the URL would be Configure Identifiers Relying party trust identifier Enter the URL that AD FS uses to identify Aternity in your organization, in authentication requests and responses (also known as the SP Entity ID). Use this format: For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at the URL would be Choose Issuance Authorization Rules (AD FS 2.0 only) Select Permit all users to access this relying party to enable SSO for all of your active directory users You limit access to Aternity by choosing the usernames which you to the Aternity system.

Every SSO user must also be listed in Aternity to define their permissions and roles. Step 3 Configure the properties of the relying party trust which you just created. Select Relying Party Trusts in the left sidebar, and in the center, right-click your Aternity relying party trust, and select Properties.

Open the relying party trust properties Field Description Advanced Secure hash algorithm Select SHA-256 or SHA-1. Aternity connects to the AD FS via what they call an endpoint, which manages the authentication process. Create the endpoint by selecting Endpoints Add SAML. Add an AD FS endpoint to enable SSO communication Field Description Endpoint type Select SAML Assertion Consumer which manages authentication communication with Aternity (the consumer).

Binding Select POST to ensure that the authentication data is not contained in SSO HTTP requests and that the requests are not cached. Trusted URL Enter the same URL as the Relying party SAML 2.0 service URL. Use this format: For example, if your enterprise's SSO subdomain is mycompany and your Aternity SaaS system is at the URL would be. Step 4 Create a claims rule to configure the attributes which identify the user before processing the authentication request. Right-click on the trust party you created and select Edit Claim Issuance Policy.

Follow the instructions to, until you reach the Configure Claim Rule screen. Aternity SSO uses the email address to identify the user. Therefore when creating a claim rule, you need to map the AD's E-Mail-Addresses field to the Name ID field which it to identify the user.

Map the LDAP's email address as Name ID sent for SSO Setting Value Attribute store Select Active Directory to send a field from the AD as the identifier. Mapping of LDAP attributes to outgoing claim types Map the AD's email address as the identifier of the user:. In the LDAP Attribute column, select E-Mail Addresses.

In the Outgoing Claim Type column, select Name ID. The Email Addresses field is mandatory, but you can optionally add more.

The AWS Console Home page features various types of resources to help you learn about the services and features AWS has to offer, and get started with building your solutions faster. The 'Build a solution' section features various simple automated wizards and workflows that enable you to create the resources you need for the solution you are seeking. The 'Learn to build' section will direct you to various aggregated learning and training resources organized by solution type and use case. These resources include tutorials, videos, self-paced labs, and project guides, and documentation. With, you can view collections of resources that share common tags. Streamline your use of the console by creating a resource group for each application, service, or collection of related resources that you work with regularly.

Quickly navigate to each saved resource group using the “AWS” menu. Resource Groups are specific to each identity, so each user in an account can create unique Resource Groups for frequently accessed resources and common tasks. Users can also use a URL to share Resource Group definitions with others in the same account.

You can also use the Resource Group Tagging API for some operations. For more information, see the.