Meridian Cloud supports single sign-on (SSO) logins through the Security Assertion Markup Language (SAML). A SAML identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (AD FS) server. AD FS is a service provided by Microsoft as a standard role for Windows Server. AD FS provides web application authentication using existing Active Directory credentials.
These are the requirements to configure AD FS to authenticate Meridian Cloud users:
- An Active Directory where all users have an email address attribute and name attribute.
- A SSL certificate to sign your AD FS login page.
- A server running Microsoft Windows Server 2008 or higher and AD FS installed as described in Deploy and configure AD FS.
If a user's email address changes after configuring single sign-on (from on-premises Exchange to Office 365, for example), they will no longer be able to access Meridian Cloud and any existing work will remain assigned to the account associated with their old email address. This can happen if single sign-on has not been enabled for Meridian Cloud in the Active Directory or if user consent for Meridian Cloud to access their Active Directory profile is disabled.
To resolve this issue, see:
Configuring AD FS is a multi-step process. Following is an outline of each step in the process with references to the corresponding Microsoft documentation and where to enter information from each system in the other system.Step 1 – Add a relying party trust:
- Complete the Add Relying Party Trust Wizard as described in Create a Relying Party Trust using the options in the following table.
|Select Data Source|
Select Enter data about the relying party manually
|Specify Display Name|
Enter any name that identifies the trust with Meridian Cloud.
Select AD FS profile
If you have an optional token expiration certificate, select it. Otherwise, accept the defaults.
Select Enable support for the SAML 2.0 Web SSO protocol and enter the URL from the Single Sign-On URL option described in Configuring a third-party authentication provider.
|Configure Identifiers||In Relying part trust identifier, enter the URL from the Audience option described in Configuring a third-party authentication provider.|
|Choose Access Control Policy|
Select the appropriate policy for your environment.
|Configure claims issuance policy for this application||Enable this option and continue with step 2.|
Configure a claims issuance policy as described in Create a Rule to Send LDAP Attributes as Claims.
Add the mappings listed in the following table.
|LDAP Attribute||Outgoing Claim Type|
- In AD FS Management, select the trust that you added in step 1 from the Relying Party Trusts list and then in the Actions menu, click Properties. The Properties dialog box for the trust opens.
- On the Advanced page, select SHA-256 from the Secure hash algorithm list.
Click OK to save your changes.
- In AD FS Management, open the Service folder, select the Certificates folder, and then view the Token-Signing certificate.
- On the Details tab, click Copy to File. The Certificate Export Wizard opens.
- Click Next.
- Select the No, do not export the private key option and then click Next.
- Select DER encoded binary X.509 (.cer) and then click Next.
- Select where you want to save the file, give it a name, and then click Next.
- Click Finish. Convert the file to PEM format using a tool like Certificate Manager.
- Enter the following information as described in Configuring a third-party authentication provider.
The name of the authentication provider as you want it to appear to users.
|Single Sign-On URL|
Run the Get-AdfsEndpoint command in a PowerShell command window. Copy and paste the FullUrl value of the SAML 2.0/WS-Federation record.
|Issuer (Entity ID)|
In AD FS Management, in the Actions menu, click Edit Federation Service Properties, then copy and paste the URL shown for Federation Services identifier on the Federation Services Properties page.
Click Upload and select the certificate file you create in step 4.
|SO Request Binding Type|
Delivery method of the SAML request.
Following are some common authentication issues and possible solutions.
Users receive an error message that contains Application...is disabled.
Set the Active Directory option Enterprise Applications > User settings > Users can consent to apps accessing company data on their behalf to Yes.
Set the Active Directory option Enterprise Applications > M360 -Properties > Enable for users to sign-in to Yes.
When users are presented with a Permissions requested dialog, they must click Accept.
Users are presented with a Need admin approval dialog.
An Active Directory administrator must sign-in to Meridian Portal where they should be presented with a Permissions requested dialog. They must check Consent on behalf of your organization and click Accept.
Active Directory administrator wants to grant access to use Meridian Portal to specific users.
Set the Active Directory option Enterprise Applications > User settings > Users can consent to apps accessing company data on their behalf to No.
Set the Active Directory option Enterprise Applications > M360 - Properties > Enable for users to sign-in to Yes.
Set the Active Directory option Enterprise Applications > M360 - Properties > User assignment required? to Yes.
Assign roles to the users in Enterprise Applications > M360 - Users and groups.