This section is only meant for DataCamp Enterprise administrators that are setting up SSO with Microsoft Active Directory Federation Services (AD FS) as their IDP. Only proceed if you have read and understood our SSO documentation.
Step 1: On your ADFS Server, Open up AD FS Management.
Step 2: Right click on Relying Party Trusts and select Add Relying Party Trust. This will launch the Add Relying Party Trust Wizard.
Step 3: In the Select Data Source step, choose Enter data about the relying party manually.
Step 4: On the Specify Display Name step, enter DataCamp.
Step 5: On the Choose Profile step, select AD FS Profile with SAML 2.0 and click Next.
Step 6: On the Configure Certificate screen, click Next without choosing any certificates.
Step 7: On the Configure URL screen, select “Enable support for the SAML 2.0 Web SSH protocol”. From your DataCamp SSO settings page, copy the Relying party SAML 2.0 SSO Service URL field and enter it into the URL field in the Configure URL screen.
Step 8: On the Configure Identifiers screen, add a new identifier by copying the Entity ID / SAML Audience field value from the DataCamp SSO settings page
Click Next until you reach the Finish screen.
Step 9: On the Finish screen, choose to Open the Edit Claim Rules dialog before clicking finish to edit further configuration. This will launch the Edit Claim Rules window.
Step 10: Click on Add Rule and Choose Claim Rule as Send LDAP Attributes as Claims.
Step 11: On the Configure Claim Rule step, enter the Claim rule name as “DataCamp attributes”, select “Active Directory” as the attribute store, and enter the following outgoing claim types:
- E-mail addresses (LDAP attribute) mapped to E-mail address (outgoing claim type)
- (Optional but highly recommended) Given-Name (LDAP) mapped to FirstName (outgoing claim type)
- (Optional but highly recommended) Surname (LDAP) mapped to LastName (outgoing claim type)
Click Finish.
Step 12: Click Add Rule again, choose Transform an Incoming Claim and click Next.
Step 13: Enter “NameIDDataCamp” as the Claim rule name, and select the following values:
- Incoming claim type: E-mail address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
Select “Pass through all claim values”, and click Finish.
Step 14: In the Edit Claim Rules screen, make sure the order of the rules is correct:
- DataCamp attributes
- NameIDDataCamp
Step 15: Relying party Trusts >> Double click on the certificate we just made or click on the properties tab.
Step 16: When the Certificate window pops up click on Endpoints tab. Then click on ‘Add SAML…’
Step 17: Then keep index at 2, and paste the second Relying party SAML 2.0 SSO Service URL from DataCamp Admin Settings.
Step 18: On the AD FS Management window, right click on the Relying Party for DataCamp and choose properties. Under the Advanced tab, choose SHA-256 as the Secure hash Algorithm.
Step 19: On the AD FS Management Window, choose Services -> Certificates and double click on Token Signing Certificate, which will give you an option "copy to file". By doing this, you will be able to export the X509 certificate from the raw file.
You’ll need this X509 certificate for the following steps.
Now, we’re ready to set up SAML with ADFS on DataCamp.
On your DataCamp SSO settings page, enter the following values in the “Identity Provider (IdP) Configuration” section of the page:
- Entity ID / Issuer URL: this is typically
https://yourdomain.com/adfs/services/trust - Login URL / SSO Endpoint:
https://yourdomain.com/adfs/ls - IdP Certificate: Paste in the value from the X509 certificate file. It usually begins with
-----BEGIN CERTIFICATE-----
For the first two fields, you can confirm their values in your server's Federation Service Properties by right clicking the "Services" folder on ADFS, then "Edit Federation Service Properties".
Finally, click Update Settings and your configuration will be updated.