For all new ADFS integrations please use this guide.
Litmos integrates with all SAML 2.0 providers, including ADFS 2.0 and 3.0. Litmos is an IdP initiated SSO service provider, which means that an Identity Provider login page is required to sign users into the Litmos application.
To configure ADFS with Litmos, please follow these steps:
- Begin by adding Litmos as a relying party trust in ADFS:
- In some cases ADFS will require that you add the three different variations of party identifiers, however, usually your ADFS SAML endpoint will suffice. Your ADFS SAML endpoint is the 3rd on the list with "?adfs=1" appended to the URL.
- Next, please add a NameID rule so that NameID is passed to Litmos as the user's Email Address from your Active Directory.
- Litmos requires that FirstName, LastName and Email of the user to be mapped as well for the connection to authenticate successfully. Please ensure that the "Outgoing Claim Types" are typed exactly as they appear in the screenshot below:
- Please add your Litmos ADFS endpoint:
- Lastly, please ensure that Litmos' relying party trust is using a SHA-1 algorithm for the certificate as SHA-256 is not compatible with Litmos as this time(4/15/2016)
This completes the configuration of Litmos in your ADFS server. Next, we will need to add a few items into your Litmos account's SAML settings to complete the integration. To proceed, please login to your Litmos account as an Account Owner and follow these steps:
- Once signed in as an Account Owner to your Litmos account, click the "Account" tab to access your account settings page.
- From your account settings page, please click the "Integrations" tab.
- Scroll down the integrations list and click the "SAML 2.0 (Single Sign On)" setting.
- Here you can enter your IdP sign in URL as well as the Base 64 certificate generated from ADFS.
You can now test the integration by signing into Litmos from your IdP sign in page. Please ensure that the "Autogenerate Users" is checked if the user does not exist in Litmos. If the user does exist, please ensure that their FirstName, LastName, Email and UserName(this should also be their Email) matches what is stored in your Active Directory.