Configuring Base CRM with Microsoft ADFS Single Sign On (SSO)

If your organization uses ADFS, you may consider configuring Base CRM for SSO. The following is a step-by-step guide to initial setup. 

 

Part 1 - Setting up a Relying Party Trust

Step 1 - The first step is to set up the ADFS connection with your Base CRM account. The connection between ADFS and Base is defined using a Relying Party Trust (RPT). Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust, like so:

Screen_Shot_2018-05-21_at_10.43.14_AM.png

Step 2 - After starting the configuration wizard, the next step is to configure the data source. In the Select Data Source screen, select the last option, Enter Data About the Party Manually, like so:

Screen_Shot_2018-05-21_at_10.51.24_AM.png

Step 3 - On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.

Screen_Shot_2018-05-21_at_10.52.56_AM.png

Step 4 - On the next screen, select the ADFS FS profile button.

Screen_Shot_2018-05-21_at_10.54.28_AM.png

Step 5 - On the next screen, leave the certificate settings at their defaults.

Screen_Shot_2018-05-21_at_10.57.32_AM.png

Step 6 - Next, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be your Base CRM Service Provider Assertion Consumer Service URL (found in the SSO settings of your account). Note - There should be no trailing slash at the end of the URL.

Screen_Shot_2018-05-21_at_10.58.30_AM.png

Step 7 - On the next screen, add a Relying party trust identifier using your Base CRM Service Provider Issuer ID (found in the SSO settings of your account).

Screen_Shot_2018-05-21_at_10.59.58_AM.png

Step 8 - On the next screen, you may choose configure multi-factor authentication. However, this process is beyond the scope of this specific guide. 

Screen_Shot_2018-05-21_at_11.20.28_AM.png

Step 9 - On the next screen, select the Permit all users to access this relying party button.

Screen_Shot_2018-05-21_at_11.21.25_AM.png

Step 10 - On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.

 

Part 2 - Creating Claim Rules

Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that you did not configure in the previous wizard. Configure the claim rules according to your current ADFS set-up.

 

Part 3 - Adjusting the Trust Settings

Finally, adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected.

  • In the Advanced tab, make sure SHA-256 or SHA-1 is specified as the secure hash algorithm.

 

Part 4 - Configuring SSO In Base

Lastly, navigate to the SSO settings in your Base account.

After selecting Manual Setup, fill in the following:

a) Identity Provider Issuer Id (ex. http://yourdomain/adfs/services/trust)
b) Identity Provider SSO URL (ex. https://yourdomain/adfs/ls)
c) SHA-1 Thumbprint of the token signing certificate installed in ADFS instance)