How to set up ADFS SSO for governing bodies

Summary

• Ensure you have a 2048-bit RSA certificate for HTTPS-only SAML integration.
• Verify ADFS organisation metadata in ‘Edit Federation Service Properties’.
• Install ADFS Federation Service and create a new Federation Server Farm.
• Add a Relying Party Trust using ‘ClickView’ as the display name.
• Configure claim rules for Email, Given Name, Last Name, Display Name, and Member Of.
• Set up endpoints with region-specific POST and Artifact URLs.
• Submit onboarding details using the SSO Onboarding form.

SAML integration prerequisites

Before setting up SAML integration between ClickView and Microsoft ADFS, ensure you have a 2048-bit RSA certificate from a recognised certificate authority. SAML integration is a secure, HTTPS-only process.

ClickView supports Single Sign-On (SSO) using the SAML2 protocol with services such as Microsoft ADFS, Shibboleth 2.0, WS-Federation, and PingIdentity.

Verify ADFS organisation metadata

1. Right-click on the ‘ADFS’ folder in the top left-hand pane and choose Edit Federation Service Properties.
   
2. In the Organisation tab, check ‘Publish organisation information in federation metadata‘ and fill all ‘Support contact information’ fields with valid data.
   

Install Microsoft ADFS Federation Service

1. Open Start.
2. Select Administrative Tools.
3. Choose AD FS 2.0 Management or AD FS 3.0 Management.
4. Start the AD FS Federation Server Configuration Wizard.
5. Create a new Federation Service.
   
6. Choose New Federation Server Farm even for single server deployment.
   
7. Click Next and confirm the SSL Certificate assigned to Default Website (if not pre-populated, assign manually via IIS).
8. Ensure the Federation Service Name matches the SSL certificate name.
9. Proceed with Next.
   
10. Enter the AD FS service account name and password.
    
11. Continue with Next until setup is complete.
12. If you encounter an SPN error, use setspn.exe to set the proper SPN.
    

Configure federation trust with ClickView

1. Select Relying Party Trusts.
   
2. Click Add Relying Party Trust.
   
3. Choose Start.
   
4. Select Enter data about the relying party manually.
   
5. Set Display name to ClickView. Click Next.
   
6. Select AD FS profile, and continue clicking Next until prompted for identifiers.
   
   
   
   
   
   
7. Enter the appropriate ClickView entityID URL for your region:
   • Australia: https://saml-in5.clickview.com.au/shibboleth
   • New Zealand: https://shibboleth.clickview.co.nz/shibboleth

8. Click Add, then Next.

   
9. If required, choose your MFA setup and click Next.
   
10. Select Permit all users to access this relying party and click Next.
    
11. Finish by selecting Close.
    

Create claim rules for ClickView SAML integration

After creating the Relying Party Trust, ClickView requires the following user attributes as claim rules:

• Email Address
• Given Name
• Last Name
• Display Name
• Member Of (Group Membership)

1. Choose Add Rule.
   
2. Select Send Claims Using a Custom Rule and click Next.
   
3. For each claim, use the following templates:

Claim Rule Name	Custom Rule
Email Address	c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”] => issue(store = “Active Directory”, types = (“urn:oid:0.9.2342.19200300.100.1.3”), query = “;mail;{0}”, param = c.Value);
Given Name	c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”] => issue(store = “Active Directory”, types = (“urn:oid:2.5.4.42”), query = “;givenName;{0}”, param = c.Value);
Display Name	c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”] => issue(store = “Active Directory”, types = (“urn:oid:2.16.840.1.113730.3.1.241”), query = “;displayName;{0}”, param = c.Value);
Member Of	c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”] => issue(store = “Active Directory”, types = (“urn:oid:1.2.840.113556.1.2.102”), query = “;memberOf;{0}”, param = c.Value);
Last Name	c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”] => issue(store = “Active Directory”, types = (“urn:oid:2.5.4.4”), query = “;SN;{0}”, param = c.Value);

Exposing additional claim rules

To send extra attributes for school or institution identification, use the following custom templates, replacing placeholders as needed:

I am using the claim urn:oid format

c:[Type == "http://schemas.microsoft.com/ws/ABCD/XY/identity/claims/XXX"]
=> issue(store = "Active Directory", types = ("urn:oid:X.X.X.XX"), query = ";givenName;{0}", param = c.Value);

II. Using the claim name format

c:[Type == "http://schemas.microsoft.com/ws/ABCD/XY/identity/claims/XXX"]
=> issue(store = "Active Directory", types = ("XXX"), query = ";givenName;{0}", param = c.Value);

Refer to Microsoft documentation on claim types for details on schemas and attributes.

• Create a Rule to Send LDAP Attributes as Claims
• Create a Rule to Send Group Membership as a Claim
• Create a Rule to Transform an Incoming Claim
• Create a Rule to Send an Authentication Method Claim
• Create a Rule to Send Claims Using a Custom Rule

Include any additional exposed attributes in the onboarding form.

Configure SAML endpoints for ClickView

1. Choose Properties for the ClickView relying party trust and select Endpoints.
   
2. Click Add SAML, set Binding to POST, Index to 1, and enter your region’s POST URL:
   • Australia: https://saml-in5.clickview.com.au/Shibboleth.sso/SAML2/POST
   • New Zealand: https://shibboleth.clickview.co.nz/Shibboleth.sso/SAML2/POST
     
3. Click Add SAML… again, choose Binding as Artifact, Index as 3, and enter your region’s Artifact URL:
   • Australia: https://saml-in5.clickview.com.au/Shibboleth.sso/SAML2/Artifact
   • New Zealand: https://shibboleth.clickview.co.nz/Shibboleth.sso/SAML2/Artifact
     

Submit onboarding information

Complete the SSO Onboarding form to start the process. Continue with the form if you have started it previously.

• Australia onboarding form
• New Zealand onboarding form

Frequently asked questions