- 09 May 2023
- 2 Minutes to read
- DarkLight
SSO: Configure ADFS for use with InVision V7
- Updated on 09 May 2023
- 2 Minutes to read
- DarkLight
Getting set up to use ADFS with InVision V7 involves the following primary tasks:
- Set up the hash algorithm
- Download InVision metadata
- Create a new Relying Party Trust
- Add a claim rule to send the email address of your user
- Add a Transform Claim Rule
- Configure ADFS in InVision V7
We recommend that these steps are completed by your IT team or an IT Manager.
Set up the hash algorithm
In ADFS, visit your Advanced tab for the InVision application, then select SHA-256 from the Secure hash algorithm menu. Select OK.
Download InVision metadata
Download InVision's SAML metadata from this URL: https://your_enterprise_subdomain
.invisionapp.com/sso/metadata
You’ll need this when creating a new Relying Party Trust in ADFS.
Create a new Relying Party Trust
First, you’ll need to open the ADFS 2.0 MMC snap-in and a new “Relying Party Trust” that you can configure to work with InVision. That will walk you through the following steps:
- In the Select Data Source step, import the XML metadata you downloaded from this URL: https://
your_enterprise_subdomain
.invisionapp.com/sso/metadata - Give the trust a Display Name like “InVision” and select Next.
- Select the Permit all users to access this relying party option and then select Next.
- Check the Open the Edit Claim Rules Dialog and select Close.
Add a claim rule to send the email address of your user
In the Edit Claim Rules window, do the following:
- Click Add Rule to begin creating a new Claim Rule.
- Select Send LDAP Attributes as Claims as the rule template.
- Title the rule "Send UPN as Email" (you should tweak this title if you use a different attribute in step 5).
- Select Active Directory as your Attribute Store.
- Set User-Principal-Name (or whatever LDAP attribute contains the primary email address for your users) as the LDAP attribute.
- Add E-mail Address as the Outgoing Claim Type.
- Select OK to create the rule.
Add a Transform Claim Rule
After you've added a new rule to send the email address as a claim, add a Transform Claim rule to transform it into the proper NameID format:
- Click Add Rule again to add a new rule and select "Transform an Incoming Claim" as the rule template.
- Enter "Transform Email to Name ID" for the "Claim rule name."
- Select E-Mail Address as the "Incoming claim type."
- Select Name ID for the "Outgoing claim type."
- Select Email for the "Outgoing name ID format."
- Make sure Pass through all claim values is selected (it should be by default).
- Select OK to save your rule.
- Verify that this new rule is below the initial rule you created and select OK again to close the rule editor.
Configure ADFS in InVision V7
The owner or an admin on your Enterprise must configure ADFS in your InVision V7 account. Save the metadata file ADFS provides, and then complete these steps:
- Sign in to your InVision Enterprise here:
your-team-name
.invisionapp.com - In the lower-left corner, select the [Your Team Name] dropdown, and then select People & Team settings.Note: The Team page opens with the People tab active.
- Select Settings tab, and then select Single sign-on.
- Turn on Require SSO for every member of [your enterprise team].
- Fill out the fields using the appropriate information from the ADFS metadata file.
- Select Update.