Requirements for the ADFS integration:
Microsoft Windows Server 2008 R2 or higher, running ADFS 2.0 or higher.
Your ADFS server must be publicly available (NAT translation or using a federation proxy/Web Application Proxy) for users to authenticate outside of your local network.
Instructions are based on ADFS 3.0. For ADFS 2.0 servers, you may notice some slight differences in the configuration.
DISCLAIMER: If the integration is not behaving as expected after the initial setup, you'll want to double-check the points below. These are three of the most common steps that we see integrated incorrectly.
Production Metadata - do not use staging or sandbox metadata.
Signed Metadata - all metadata and assertions should be signed at start and endpoints.
This integration is meant to redirect to your login page - We don't pass any information to a backend system. We just redirect them to your login page and you send back the signed assertion to us with the unique identifier of the person being authenticated (i.e their email).
Setting up the ADFS integration:
Customize your Motivosity domain name (for this example, we’ll use “abc”). Logged in with administrative rights, go to Setup > Preferences and choose your domain name.
Navigate to the Integrations page within Setup > Integrations and click 'ADFS'.
Once you click 'ADFS' a pop-up should appear asking you to activate. Click 'Activate'.
Once activated, you'll be directed to the ADFS Integrations page. From here, export your ADFS XML federation metadata. This is typically available at the following URL: https://[adfs-server-fqdn]/FederationMetadata/2007-06/FederationMetadata.xml
Log into your ADFS server with administrative rights.
Open the ADFS administration console.
Navigate to Trust Relationships > Relying Party Trusts.
Select Add Relying Party Trust.
The Add Relying Party Trust wizard will open. Select Start.
Select the option to Enter Data Manually.
Provide a friendly display name and any notes desired.
Select the ADFS Profile for compatibility with SAML 2.0.
Click Next at the Configure Certificate page (skip this step).
At the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol and specify the URL https://app.motivosity.com/sso/saml in the Relying party SAML 2.0 SSO service URL field:
At the Configure Identifiers page, enter https://motivosity.comand select “Add”. You will also need to add https://app.motivosity-sandbox.com for Test and https://app.motivosity.com for Production.
At the Configure Multifactor Authentication Now? step, click next (skip this step).
At the Configure Issuance Authorization Rules step, select Permit All Users to access this relying party.
Select the check box to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.
Under the Issuance Transform Rules tab, click Add Rule…
From there you will want to select 'Transform an Incoming Claim" under Claim rule Template
Next, supply a rule name. For Incoming claim type: - select “UPN”. For Outgoing Claim Type: - select “Name ID”. For Outgoing name ID format: - select “Email”.
Click OK. Click Apply and OK to exit the claim rules configuration.
Navigate to your custom domain (https://abc.motivosity.com). This should redirect you to login on your ADFS page. Upon successful login, you will be redirected to your Motivosity portal.