In the below article we will be going through the steps on how to configure SSO in "platform.boomi.com" using "ADFS" as the Identity Provider. For more information on SSO and user management, see Controlling User Access to Your Account.
Configuration on Boomi AtomSphere
- Navigate to 'Setup' page as shown below;
- On the Setup Page, select 'SSO Options' under 'Security Options' as shown below;
- Check 'Enable SAML Single Sign-On' and click save.
- Below is how the SSO screen will look like before any configuration;
- Below is how the SSO screen will look like after configuration;
- Import the 'Identity Provider Certificate' using import; remember this is not SSL certificate of the ADFS login url, you will most likely get this certificate from Admin of ADFS.
- Enter the 'Identity Provider Login URL' in the text box; it will look like this 'https://adfs.<company_name>.net/adfs/ls/IdpInitiatedSignOn.aspx'
- Select 'NameID' for 'Federation Id Location', most of the ADFS will use 'NameID'
- Copy this url 'AtomSphere Login URL', we will require this when we access the SSO login; Example: https://platform.boomi.com/sso/<Account_ID>/saml
- Copy this url 'AtomSphere MetaData URL', we will require this when we configure ADFS; Example: https://platform.boomi.com/sso/<Account_ID>/saml?metadata=true
- Click Save
Now AtomSphere is ready for SSO, next we have to configure the ADFS.
Configuration on ADFS
- Open ADFS configuration which will help setting up ' Relying Party Trust', which is Boomi in this case, as shown below;
- Right-Click on the Relying Party Trust and click 'Add Relying Party Trust...', as shown below;
- Click Start on the Add Relying Party Trust Wizard
- Now we can make our configuration easy by directly importing the setting from metadata url we copied from Boomi SSO setting page; Example: https://platform.boomi.com/sso/<Account_ID>/saml?metadata=true
- Select the first option in the wizard to enter this url and try importing the setting, if you encounter any issue accessing this url directly from wizard then follow step 2 below;
- Open the Url in the browser and save the content as .xml file by copy pasting the content directly from the browser or using save as from the browser. Select option 2 in the wizard and select this file for configuration
- Click Next
- Enter Display Name for this Configuration; Example: Boomi SSO and click Next
- Accept all the Default setting in next screens and finally, click finish to close the wizard.
- Now you will have new window open to configure 'Claim Rules'
Configuring Claim Rules on ADFS
- Click Add New Claim Rule and select 'Send LDAP Attributes as Claims' as claim rule template from drop down;
- Give a Name to Claim Rule
- Select 'Active Directory' for Attribute Store;
- Select 'E-Mail-Addresses' for LDAP Attribute as shown below;
- In this case, Email-Address is the Federation ID of this company. This field will be different for each company and depends on which field you are using to authenticate users
- Select 'Name ID' as the Outgoing Claim Type
- Click OK
Now we have completed the ADFS Configuration.
Boomi AtomSphere User Management
Now with SSO configuration is completed on both at Boomi and ADFS sides, we need to update the user accounts in AtomSphere to link each user with their own Federation ID.
- Navigate to 'User Management' on the 'Setup' page.
- Click on the User and click 'edit' (Pencil) icon.
- Now you will see a user edit dialog as below; Enter the 'Federation ID', in this case we are using the email for the Federation ID.
- Click OK
This step is important because SSO is used for authentication of the User Credentials and Authorization of the User is done using the User Management/Roles in Boomi, so each user have to be updated with their 'Federation ID' to link the users properly back after successful Authentication from ADFS.
Access Boomi using SSO
Now you can access Boomi Atmosphere using SSO with below url;
- The above url will take to you first to IDP(Identity Provider) Login Page as show below;
- Once the User is successfully authenticated by ADFS, User will be routed to 'platform.boomi.com'.
1. Meta-Data url is not active or not returning anything back?
Ensure SSO is enabled in your account, Once SSO is enabled in Boomi AtomSphere, SSO metadata URL will be active for your account: