Versions Compared

Old Version 6

changes.mady.by.user Simon Barlow

Saved on

compared with

New Version 7

changes.mady.by.user Elliot Dooleysmith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This guide covers the configuration of a Relying Party Trust in AD FS and the corresponding configuration in ResourceXpress. It does not cover the installation or initial configuration of ADFS.

If you intend to restrict access to ResourceXpress to a specific set of users it is recommended you create a relevant Active Directory security group before proceeding with the AD FS configuration.

Table of Contents
maxLevel2

Download the ResourceXpress MetaData file

Note

Before downloading the Metadata file ensure you are accessing ResourceXpress via a routable URL. Do not download the file if you are browsing the application from its host server using ‘localhost’“localhost”.

If your end-users will be accessing ResourceXpress via a public/external URL ensure you generate the file when browsing this URL not the internal FQDN.

...

Ensure Forms Authentication is selected

...

Create a Relying Party Trust in AD FS

...

On the Choose Access Control Policy page select the option Permit specific group then click the <parameter> option in the Policy window

In the pop-up Select Groups window click Add… then browse for and add the security groups that will have access to ResourceXpress

Image Removed

Once added click Next > to proceed to the Ready to Add Trust window and click Next > again to save the configuration. You will see the new configuration in the Relying Party Trusts main window

...

In the Choose Rule Type window drop down the option Claim rule template: and select Send LDAP Attributes as Claims then click Next >Image Removed

...

Give the rule a suitable name and select Active Directory as the Attribute store:

Info

The following tables list the three required claims as well as two optional claims for RFID and Access Code. The optional claims should be configured if you intend to make authenticated instant bookings on Room Screen devices and/or you will not be enabling SSO for the mobile Kiosk/Maps features.

The attributes used for the optional claims can be any AD attribute however, the value for each user must be unique.

Required Claims

Outgoing Claim Name

LDAP AttributeOutgoing Claim Type

email

E-Mail-Address

emailfirstname

Given-Name

firstnamelastname

Surname

lastname

Optional Claims

LDAP Attribute

Outgoing Claim Type

<unique-custom-attribute>

rfid

<unique-custom-attribute>

accesscode

Optional Claims

In addition to synchronising users details, it is also possible to retrieve other attributes that can be used to populate Access Code, RFID and other values in the ResourceXpress local user's database.

To configure this you will need to add more Claims, see the table below for optional Claims.

Claim Name

Information

LDAP Attribute

rfid

The RFID value as read by the ResourceXpress system, used for screen authentication.

custom attribute

accesscode

The users Access Code/PIN, used for screen authentication.

custom attribute

defaultlocation

The ID number for the Location that the user will have default access to.

Info

This requires a single Location ID value.

To get the Location ID number, navigate to the location edit screen.

Administration Settings → System Settings → Locations

Then select the Edit Button ( (blue star) ) for the correct location.
You will find the ID number at the end of the page URL.
https://app.rx-cloud.com/Setting/Location?Id=1

custom attribute

allowedlocation

A comma separated list of Location ID numbers that the user has access to.

Info

If more than 1 location is required, separate the ID values with a comma ( , ).

To get the location ID number, navigate to the location edit screen.

Administration Settings → System Settings → Locations

Then select the Edit Button ( (blue star) ) for the correct location.
You will find the ID number at the end of the page URL.
https://app.rx-cloud.com/Setting/Location?Id=1

custom attribute

dateformat

The date format for the user.

dd,MM,yyyy → (25, 01, 2021)
MM / dd / yyyy → (01 / 25 / 2021)

custom attribute

roles

A comma separated list of Role ID numbers.

Info

If more than 1 role is required, separate the ID values with a comma ( , ).

The default role ID values are as below

Super Admin → 1
Server Admin → 2
User Admin → 3
User → 4
Messaging → 5
Reporting → 6
Location Admin → 7

To get the Role ID number for any custom Roles, navigate to the Role edit screen.

Administration Settings → System Settings → Locations

Then select the Edit Button ( (blue star) ) for the correct location.
You will find the ID number at the end of the page URL.
https://app.rx-cloud.com/Setting/Location?Id=1

custom attribute

Once you have configured the claims click OK and Apply

...

Once you have configured AD FS for SSO you will need to download the IDP MetaData file for use in ResourceXpress. To obtain this file navigate to the below URL replacing <ADFS-ServerName> with the FQDN of your AD FS server.

https://<ADFS-ServerName>/FederationMetadata/2007-06/FederationMetadata.xml

Download the file to a suitable location.

...

Note

Before configuring and saving the below configuration please ensure you have a valid local administrator account configured in ResourceXpress.

It is important that this account has the same values for First Name, Last Name and Email ID matched to the respective LDAP attributes.

Failure to have a locally configured administrator account before saving the SSO settings could result in you being locked out of the application.

...

The URL and Authenticating Authority fields will be auto-populated with the required valuesImage Removed

...

Select the options to Auto create user records from SSO and Sync user details from SSOImage Removed

...

Click Save

You have successfully configured SSO via AD FS for ResourceXpress. When a new user navigates to the application URL they will be prompted for their SSO credential, after successfully signing in a new local user account will be created with the User role assigned by default.

...