Blanchard Exchange supports Single Sign On using SAML 2.0. Microsoft Active Directory supports SAML via their Active Directory Federation Services (AD FS) server as well as Azure AD.
We recommend that you use at least AD FS 3.0 (included in Windows 2012R2) or later.
To get started, first submit a request. Be sure to include your company name and include in your request that you wish to enable SSO with Active Directory. We may ask for additional details to correctly identify your account.
- Start the AD FS Management tool under Administrative Tools.
- Select the Trust Relationships folder and right click and select Add Relying Party Trusts.
- On the Welcome section of the Add Relying Party Trust Wizard, select Start.
- Make sure that the Import data about the relying party published online or on a local network button is selected and enter your customer-specific metadata URL you received from The Ken Blanchard Companies.
- Set the display name and select Next.
- Choose I do not want to configure multi-factor authentication settings for this relying party trust at this time and select Next.
- Under Choose Issuance Authorization Rules, select Permit all users to access this relying party and select Next.
- Under Ready to Add Trust, select Next.
- Under Finish, make sure the checkbox is selected for Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and select Close.
- On the next window under Issuance Transform Rules, select Add Rule...
- Select Send LDAP Attributes as Claims under the Claim rule template and select Next.
- Enter Learnifier Claims as the Claim rule name. Make sure that the Attribute Store is Active Directory and add the following values:
- SAM-Account-Name: Name ID
- Display-Name: Name
- E-Mail-Addresses: E-Mail Address
- Given-Name: Given Name
- Surname: Surname
- Send the URL of the SAML metadata for your Active Directory Federation Services to your Help Desk contact here at The Ken Blanchard Companies.
If the login web server / AD FS is reachable under https://login.example.com the metadata is usually available at https://login.example.com/FederationMetadata/2007-06/FederationMetadata.xml. The link must be an HTTPS link (TLS 1.2) and the server must be reachable from the public internet.
You should receive a response shortly after that the connection is established.