Regroup can integrate with your Single Sign-On system including LDAP, OpenLDAP, Active Directory(AD), SAML, CAS, and Shibboleth. Please find instructions below on what we will need to complete the integration.

 

Please Note once connection is established you will need to be sure that a UserName is uploaded for all users if that is the attribute you are passing us for authentication.

LDAP/AD Setup

 

To map the LDAP/AD authentication, we need:

1) IP addresses enabled

2) LDAP/AD connection details

3) LDAP/AD account with read access

4) Sample LDAP/AD entry.

 

Regroup IP addresses to be Enabled:

209.20.67.27

67.207.132.197

209.20.71.38

67.207.138.71

67.207.138.187

209.20.68.52

 

Example of LDAP/AD Connection details:

 

Example 1:

CN=Regroup Services,OU=Domain Users,DC=xxxxx,DC=local

 

Example 2:

IP: 2xx.xx.xx.xx:389 Username: regroup Password: xxxxx Base: DC=schoollabs, DC=edu CN=Users CN Test case: schoolabs\passw0rd

 

Whitelist Regroup Emails

 

Please whitelist our email IP addresses found below: 

 

vinayaka.regroup.com 67.207.143.248
anjaneya.regroup.com 162.209.9.103
veera.regroup.com 162.209.88.57
radha.regroup.com 166.78.237.237
ganga.regroup.com 192.237.185.183
yamuna.regroup.com 192.237.186.88

 

CAS Setup

 

Can you please provide us with the CAS link and the test user/password for your CAS server so that we can test and implement.

We will be using this URL for connecting to your CAS. Please add/authorize this domain on your CAS server.

https://network-coded-name.regroup.com  (https://demo.regroup.com) (demo and coded name are examples, you need the coded name for your organization we provide it during and after the implementation)

 

SAML Setup and Shibboleth

Please create a issuer for Regroup at your end and the assertion consumer service URL must be https://network-coded-name.regroup.com/saml/consume(https://demo.regroup.com/saml/consume) and issuer title https://network-coded-name.regroup.com(https://demo.regroup.com). Also, provide us the IDP SSO URL and test account.

Please provide a test user including the user name and password.

 

-Configuring ADFS 2.0/3.0 to Communicate with SAML 2.0

 

ADFS Relying Party Configuration

 

  1. Open the ADFS Management console and select Relying Party Trusts.
  2. Select "Add Relying Party Trust…" from the top right corner of the window. (The add wizard appears.)
  3. Click Start to begin.
  4. Select "Enter data about relying party Manually"
  5. Give it a display name such as ReGroup and enter any notes you want.
  6. Select ADFS 3.0/2.0 Profile.
  7. You will be prompted to browse for a Certificate to encrypt and decrypt the claims. Please skip this step by pressing the Next.
  8. Do not enable any settings on the Configure URL.
  9. Enter the Regroup Web site to which you connected as the Relying Party trust identifier. In this case use https://coded_name.regroup.com and click Add.
  10. Permit all users to access this relying party.
  11. Click Next and clear the Open the Claims when this finishes check box.
  12. Close this page. The new relying party trust appears in the window.
  13. Right-click on the relying party trust and select Properties.
  14. Browse to the Advanced tab and set the Secure hash algorithm to SHA-1.
  15. Browse to the Endpoints tab and add a SAML Assertion Consumer with a Post binding and a URL of https://coded_name.regroup.com/saml/consume

 

ADFS Relying Party Claim Rules

 Edit the Claim rules to enable proper communication with Regroup System. 

  1. Right-click on the relying party trust and select Edit Claim Rules….
  2. On the Issuance Transform Rules tab select Add Rules….
  3. Select Send LDAP Attribute as Claims as the claim rule template to use.
  4. Give the claim a name such as Get LDAP Attributes.
  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
  1. Select Finish.
  2. Select Add Rule….
  3. Select Transform an Incoming Claim as the claim rule template to use.
  4. Give it a name such as Email to Name ID. (Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID (this is requested in Regroup policy urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and the Outgoing name ID format is Email. Pass through all claim values and click Finish.)
  5. If you edit the existing rule and click View Rule Language…, they should match the following:

 

Rule #1:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory",

types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),

query = ";mail;{0}", param = c.Value); 

 

Rule #2:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]

= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

 

 Single Logout Support

 To create a SAML logout endpoint in your RP trust configuration in ADFS: 

  1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.
  2. Under the Endpoints tab, click Add.
  3. Configure the settings:
  4. Endpoint Type: SAML Logout
  5. Binding: POST
  6. URL: https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0

 

Single Logout Support

To create a SAML logout endpoint in your RP trust configuration in ADFS: 

1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.

2. Under the Endpoints tab, click Add.

3. Configure the settings:

            a. Endpoint Type: SAML Logout

            b. Binding: POST

            c. URL: https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0

 

Once you are done please provide us:

the metadata URL(for example):

https://example.domain.edu/FederationMetadata/2007-06/FederationMetadata.xml

SSO URL(for example):
https://example.domain.edu/adfs/ls/

 

the LDAP Attribute/Outgoing Claim Type.

Also please provide Regroup with a test account including the username and password in order for us to verify the implementation.

Did this answer your question?