Sorry, the InVision Help Center does not support Internet Explorer. Please download Microsoft Edge or another modern browser.


InVision Cloud V7: SSO - Configuring ADFS for use with InVision

Follow
This article provides answers for InVision Cloud V7 only. If you're using V6 of InVision, read this article instead. Not sure which version you're using? Find out now.

To properly configure ADFS with InVision, be sure to follow all the steps outlined below.

Configuring ADFS in InVision Cloud V7

First, you'll need to configure ADFS in your InVision Cloud V7 account. Save your IdP's metadata, and then take these steps:

  1. Sign in to your InVision Cloud V7 Enterprise account.
  2. At the top of the page, click Team.
  3. Click Settings tab, and then click Single sign-on.
  4. Toggle on Require SSO for every member of [your enterprise team].
    cloud-v7-sso-setup.gif
  5. Fill out the fields using the appropriate information from your IdP's metadata file.
  6. Click Update.

Setting up the hash algorithm

In ADFS, visit your Advanced tab for the InVision application, then select SHA-256 from the Secure hash algorithm menu. Click OK.

ADFS_Screenshot.png

Downloading InVision metadata

Download InVision's SAML metadata from https://your_enterprise_subdomain.invisionapp.com/login-api/api/v1/sso/saml/metadata

You’ll need this when creating a new Relying Party Trust in ADFS.

Creating a new Relying Party Trust

First, you’ll need to open the ADFS 2.0 MMC snap-in and a new “Relying Party Trust” that you can configure to work with InVision. That will walk you through the following steps:

  1. In the Select Data Source step, import the XML metadata you downloaded from https://your_enterprise_subdomain.invisionapp.com/login-api/api/v1/sso/saml/metadata
  2. Give the trust a Display Name like “InVision” and click Next.
  3. Select the Permit all users to access this relying party option and click Next.
  4. Check the Open the Edit Claim Rules Dialog... and click the Close button.

Adding a claim rule to send the email address of your user

In the Edit Claim Rules window that appears, do the following:

  1. Click Add Rule to begin creating a new Claim Rule.
  2. Select Send LDAP Attributes as Claims as the rule template.
  3. Title the rule "Send UPN as Email" (you should tweak this title if you use a different attribute in step 5 below).
  4. Select Active Directory as your Attribute Store.
  5. Set User-Principal-Name (or whatever LDAP attribute contains the primary email address for your users) as the LDAP attribute.
  6. Add E-mail Address as the Outgoing Claim Type.
  7. Click OK to create the rule.

Adding a Transform Claim Rule

After you've added a new rule to send the email address as a claim, we need to transform it into the proper NameID format. To do that, we add a Transform Claim rule:

  1. Click Add Rule again to add a new rule and select "Transform an Incoming Claim" as the rule template.
  2. Enter "Transform Email to Name ID" for the "Claim rule name."
  3. Select E-Mail Address as the "Incoming claim type."
  4. Select Name ID for the "Outgoing claim type."
  5. Select Email for the "Outgoing name ID format."
  6. Make sure Pass through all claim values is selected (it should be selected by default).
  7. Click OK to save your rule.
  8. Verify that this new rule is below the initial rule you created and click OK again to close the rule editor.

Was this article helpful?

Still have a question?

Contact Us