/
ADFS setup

ADFS setup

Owned by Kent
Last updated: Dec 12, 2024 by Jens Erik Vaaler
5 min read

Her kan du lære mer om ADFS

Requirement for Mercell ADFS service

  1. An ADFS operational server

  2. Need a public URL to the server

  3. Need a Federation metadata URL from Mercell website

  4. Mercell SSO product

Configuration of SSO on Mercell website

Solution description

  1. The customers IT dep. must establish SSO trust. They must assign all the users that should participate in the trust to Mercell before the SSO can work. (Additional users can be added later.)They also need to secure correct settings for the SSO relaying trust.)

  2. The customers IT dep. Insert your SSO-info. (This is filled in, as described in the next slides, so the SSO will get activated from the customer side. This can easily be done by the customer themselves with their IT department.)

  3. Now the Customer users can connect using SSO: This can be done in two ways: a) The customer can use an URL from Mercell to connect using their Intranet, which redirect them to their own familiar SSO server, where they must log in, if they are not already logged in. After this login, they are instantly and automatically logged into Mercell. b) The customer can click on any URL from Mercell or just the my.mercell.com address, where they will get the usual Sign-on picture form the Mercell Portal. Press the Single SignOn login button and then fill in their own mail address, click on the login button, which will redirect them to their own familiar SSO server, where they also must provide their password. Once they complete their login, then they are instantly and automatically logged into Mercell.

Configuration on Mercell website

  1. Login on to Mercell website as customer admin

  2. Click on company name

  3. Click on Single sign-on icon

  4. Click add new.

  5. Type name, use your company name and set domain to your company domain and click save

  6. If you have several email domains that should be linked with different customers in Mercell, set "Email domain" to users' primary mail (SMTP) and check "Match e-mail to domain". This will enable the option to have a shared SSO connection that directs users from a shared AD to several customers in Mercell.

  1. Click update to insert you Federation server URL and click update

Example Federation server URL: https://adfs.company.com
Now the page show links and XML for the SSO setup

  1. Use the Federation metadata link to setup claims on your ADFS serverexample on link: (https://my.mercell.com/m/logon/adfs/FederationMetadata.ashx?guid=xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxxxx)

  2. Your SSO setup is now completed. (SSO enforcement is optional, but recommended)

  3. SSO - The SSO Enforcement consequence

SSO Enforcement notice!

Please secure that all your user has been informed of the «SSO-Only» switchover, or they will see the screen below when they try to login manually without any success. (That is why it should be a planned date for going into production for all.)The same alert also happens, if you remove them from your local MS ADFS server.

  1. SSO: How to login?

If you usually use your corporate intranet for SSO login, then do as before.If you use an URL from Mercell, or connect directly to https://my.mercell.com/da-dk/m/logon/, then you only need to click on the button called: «SSO login».
You will then have to enter your e-mail address as used in your company and click «Login». You will then be redirected to your own local SSO server, for a password. "Remember me" checkbox can be used to ensure that when accessing Mercell.com user is redirected directly to your own local SSO server. If login fails at local SSO server, user can access this page again and make changes. After you entered your password inside your local corporate SSO server, then you will be redirected back to Mercell again, but you are now automatically logged into our portal. You arrive either at your usual starting homepage, or at the specific Mercell URL you originally clicked on the first time.

Configuration of ADFS server

  1. Click add Relying Party Trust

  2. Insert Federation metadata link from Mercell website, click next







Select Send Claims Using a Custom Rule Insert a claim name, and copy paste this claim rule and insert rule in custom rule textbox.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,givenName,sn,userPrincipalName;{0}", param = c.Value);

Optional configuration of persistent Single Sign-On on ADFS server

  1. Run Windows PowerShell as admin

  2. Write "Set-AdfsProperties -EnableKmsi 1"

  3. There is now a checkbox on the ADFS login page, that can be checked to keep remembering if user is signed in.

For the customer's IT-department: MS ADFS specialist

Script for extracting user's that need to be mapped to Mercell.
Script:

get-aduser -filter * | ft Name,UserPrincipalName > c:\test\test.txt (or preferably a CSV-file)

The result should look like this
Rabattavtale NO       rabattavtale@mercell.com            
IUSR_web1               IUSR_web1@mercell.com               
PdfADev                pdfadev@mercell.com                      Test VPN               tv@mercell.com    This script is used to do an AD BIND, which ensures that your existing users inside our portal are not asked to register as new users in our portal. when they start using the SSO. You can import this as Customer administrator by first "Export users". This will export an Excel file where only "User ID" is editable. Note that it is not allowed to rename this file as you will then not be able to import the file. Fill in "UserPrincipalName" in "User ID" save the file and "Import users". This will map the users already in Mercell to their AD user.

This can be repeated if new users' needs to be added. It can also be done on contact, (my.mercell.com/m/crm/customer.aspx – Contacts) where Customer Admin will have a new field "External User ID".

Before starting the implementation, it is advisable to first do a startup meeting with Mercell, as there is some planning involved, and some steps to understand in order avoiding duplicate problems or problems with users.

There is also a large impact on how the processes for creating new users are, both before, during and after the production. The success of the implementation will be determined on good control of the monitoring of this, as well as good communication with all relevant users involved.

New Users

Find more about new users here

Related content