1 Mercell ADFS setup
1.1 Requirement for Mercell ADFS service
1.2 Configuration of SSO on Mercell website
1.2.1 Solution description
1.2.2 Configuration on Mercell website
1.3 Configuration of ADFS server
2 Optional configuration of persistent Single Sign-On on ADFS server
3 For the customer's IT-department: MS ADFS specialist
4 New Users
5 Change History Record
| Anchor |
|---|
| _Toc528929418 |
|---|
| _Toc528929418 |
|---|
|
...
| Anchor |
|---|
| _Toc528929419 |
|---|
| _Toc528929419 |
|---|
|
Requirement for Mercell ADFS serviceAn ADFS operational server
Need a public URL to the server
Need a Federation metadata URL from Mercell website
Mercell SSO product
| Anchor |
|---|
| _Toc528929420 |
|---|
| _Toc528929420 |
|---|
|
Configuration of SSO on Mercell website| Anchor |
|---|
| _Toc528929421 |
|---|
| _Toc528929421 |
|---|
|
Solution descriptionThe customers IT dep. must establish SSO trust. They must assign all the users that should participate in the trust to Mercell before the SSO can work. (Additional users can be added later.)They also need to secure correct settings for the SSO relaying trust.)
The customers IT dep. Insert your SSO-info. (This is filled in, as described in the next slides, so the SSO will get activated from the customer side. This can easily be done by the customer themselves with their IT department.)
Now the Customer users can connect using SSO: This can be done in two ways: a) The customer can use an URL from Mercell to connect using their Intranet, which redirect them to their own familiar SSO server, where they must log in, if they are not already logged in. After this login, they are instantly and automatically logged into Mercell. b) The customer can click on any URL from Mercell or just the my.mercell.com address, where they will get the usual Sign-on picture form the Mercell Portal. Press the Single SignOn login button and then fill in their own mail address, click on the login button, which will redirect them to their own familiar SSO server, where they also must provide their password. Once they complete their login, then they are instantly and automatically logged into Mercell.
...
| Anchor |
|---|
| _Toc528929422 |
|---|
| _Toc528929422 |
|---|
|
Configuration on Mercell website
Login on to Mercell website as customer admin
Click on company name
Click on Single sign-on icon
Click add new.
Type name, use your company name and set domain to your company domain and click save
| Anchor |
|---|
| _Hlk517681041 |
|---|
| _Hlk517681041 |
|---|
|
| Anchor |
|---|
| _Hlk517679511 |
|---|
| _Hlk517679511 |
|---|
|
If you have several email domains that should be linked with different customers in Mercell, set "Email domain" to users' primary mail (SMTP) and check "Match e-mail to domain". This will enable the option to have a shared SSO connection that directs users from a shared AD to several customers in Mercell.
...
If you usually use your corporate intranet for SSO login, then do as before.If you use an URL from Mercell, or connect directly to https://my.mercell.com/da-dk/m/logon/, then you only need to click on the button called: «SSO login».
You will then have to enter your e-mail address as used in your company and click «Login». You will then be redirected to your own local SSO server, for a password. "Remember me" checkbox can be used to ensure that when accessing Mercell.com user is redirected directly to your own local SSO server. If login fails at local SSO server, user can access this page again and make changes. After you entered your password inside your local corporate SSO server, then you will be redirected back to Mercell again, but you are now automatically logged into our portal. You arrive either at your usual starting homepage, or at the specific Mercell URL you originally clicked on the first time.
| Anchor |
|---|
| _Toc528929423 |
|---|
| _Toc528929423 |
|---|
|
Configuration of ADFS serverClick add Relying Party Trust
Insert Federation metadata link from Mercell website, click next
...
| Code Block |
|---|
|
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,givenName,sn,userPrincipalName;{0}", param = c.Value); |
...
| Anchor |
|---|
| _Toc346886297 |
|---|
| _Toc346886297 |
|---|
|
| Anchor |
|---|
| _Toc346886404 |
|---|
| _Toc346886404 |
|---|
|
| Anchor |
|---|
| _Toc347131866 |
|---|
| _Toc347131866 |
|---|
|
Optional configuration of persistent Single Sign-On on ADFS server Run Windows PowerShell as admin
Write "Set-AdfsProperties -EnableKmsi 1"
There is now a checkbox on the ADFS login page, that can be checked to keep remembering if user is signed in. 
For the customer's IT-department: MS ADFS specialist
Script for extracting user's that need to be mapped to Mercell.
Script:
...
There is also a large impact on how the processes for creating new users are, both before, during and after the production. The success of the implementation will be determined on good control of the monitoring of this, as well as good communication with all relevant users involved.
| Anchor |
|---|
| _Toc508703719 |
|---|
| _Toc508703719 |
|---|
|
New Users| Anchor |
|---|
| _Hlk528920785 |
|---|
| _Hlk528920785 |
|---|
|
Find more about new users here| Filter by label (Content by label) |
|---|
| showLabels | false |
|---|
| showSpace | false |
|---|
| sort | title |
|---|
| title | More info |
|---|
| cql | label = "sso" |
|---|
|