To properly configure ADFS with InVision, be sure to follow all the steps outlined below.
Sending metadata to InVision Support
Before you can setup ADFS, we need to configure SSO for your account. Save your IdP's metadata and have the owner or an admin on your InVision Enterprise organization submit a request to InVision's Support team to finish the configuration. Be sure to attach the metadata for your IdP. Once you've sent us the metadata, we can begin configuring InVision to work with your IdP.
Before implementing SSO for your Enterprise, we recommend first ensuring that the Enable password expiration option is toggled off in your Password Policy settings. With SSO enabled, password expiration via InVision (rather than your SSO provider) may prevent some of your members from accessing your Enterprise account if they forget their native InVision password.
After SSO has been enabled for your account, you can begin setting up ADFS.
Set up the hash algorithm
Visit your Advanced tab for the InVision application in ADFS, then select SHA-256 from the Secure hash algorithm menu. Click OK.
Download our metadata
Download our SAML metadata from https://your_enterprise_subdomain.invisionapp.com/login-api/api/v1/sso/saml/metadata
You’ll need this when creating a new Relying Party Trust in ADFS.
Create a new Relying Party Trust
First, you’ll need to open the ADFS 2.0 MMC snap-in and a new “Relying Party Trust” that you can configure to work with InVision. That will walk you through the following steps:
In the Select Data Source step, import the XML metadata you downloaded from https://your_enterprise_subdomain.invisionapp.com/login-api/api/v1/sso/saml/metadata
Give the trust a Display Name like “InVision” and click Next.
Select the Permit all users to access this relying party option and click Next.
Check the Open the Edit Claim Rules Dialog... and click the Close button.
Add a claim rule to send the email address of your user
In the Edit Claim Rules window that appears, do the following:
Click Add Rule to begin creating a new Claim Rule.
Select Send LDAP Attributes as Claims as the rule template.
Title the rule "Send UPN as Email" (you should tweak this title if you use a different attribute in step 5 below).
Select Active Directory as your Attribute Store.
Set User-Principal-Name (or whatever LDAP attribute contains the primary email address for your users) as the LDAP attribute.
Add E-mail Address as the Outgoing Claim Type.
Click OK to create the rule.
Add a Transform Claim Rule
After you've added a new rule to send the email address as a claim, we need to transform it into the proper NameID format. To do that, we add a Transform Claim rule:
Click Add Rule again to add a new rule and select "Transform an Incoming Claim" as the rule template.
Enter "Transform Email to Name ID" for the "Claim rule name."
Select E-Mail Address as the "Incoming claim type."
Select Name ID for the "Outgoing claim type."
Select Email for the "Outgoing name ID format."
Make sure Pass through all claim values is selected (it should be selected by default).
Click OK to save your rule.
Verify that this new rule is below the initial rule you created and click OK again to close the rule editor.