Follow these instructions to set up AD FS single sign on for your organization on Lexio.
Upon successful complete of these instructions, reach out to your Narrative Science customer success resource for final verification of set-up.
1. Create a Lexio Relying Party Trust in the AD FS instance
Start the Add Relying Part Trust wizard within AD FS
Select Claims aware on the Welcome page, and then click Start.
Select Enter data about the relying party trust manually on the Select Data Source page, and click Next
Enter the name of the relying party on the Specify Display Name page: urn:auth0:lexio-prod:$CONNECTION_NAME
Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.
Click Next on the Configure Certificate page
Check the box for Enable support for the SAML 2.0 WebSSO Protocol on the Configure URL page.
The wizard then requests a trusted Relying party SAML 2.0 service URL.
Enter https://auth.lexio.narrativescience.com/login/callback?connection=$CONNECTION_NAME
Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.
Add urn:auth0:lexio-prod:$CONNECTION_NAME to the Relying Party Trust Identifier on the Configure Identifiers page.
Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.
Select Permit Everyone on the Choose Access Control Policy page, and then click Next
Click Next on the Ready to Add Trust page. You'll be presenting with a Finish page.
Check the Configure claims issuance policy for this application checkbox on the Finish page, and click Close.
2. Claims Issuance Policy
After clicking Close on the Add Relying Party Trust wizard, you'll be presented with the Edit Claims Issuance Policy wizard
Click Add Rule
Select Send LDAP Attributes as Claims when configuring the Claim Rule Template, and click Next.
Enter a value for the Claim Rule Name
The IT admin will probably have a personal preference here — it can be anything.
Choose Active Directory as the Attribute Store
Map LDAP attributes to the following claim types:
ℹ️ Always include the outgoing Name ID claim. Ensure that all of the claims below are included, but the IT Admin can add additional mappings if they desire.
LDAP Attribute | Outgoing Claim |
E-Mail-Addresses | E-Mail Address |
Display-Name | Name |
User-Principal-Name | Name ID |
Given-Name | Given Name |
Surname | Surname |
Click Finish, and then click Apply in the Edit Claims Issuance Policy window.
3. Update the Relying Party Trust Entity ID
Select AD FS → Relying Party Trust from the left-hand navigation panel
Select the Relying Party Trust created in Step. 1.
Select the Identifiers tab.
Enter urn:auth0:lexio-prod:$CONNECTION_NAME in the Relying Party Identifier field. Click Add to add the identifier to the list of known and trusted identifiers.
Replace $CONNECTION_NAME with the name of the Auth0 SAML connection.
4. Export Signing Certificate
Select AD FS → Service → Certificate from the left-hand navigation panel
Select Token-Signing certificate, and right click on the certificate to select View Certificate
Click Copy to File... from the Details tab. This will launch the Certificate Export Wizard
Click Next on the first page of the Certificate Export Wizard
Choose Base-64 Encoded X.509 (.cer). Click Next
Select the desired export location. Click Next
Click Finish to export the certificate.
5. Once Steps above are Complete, please send the Lexio team the following information:
Sign In URL
Signing Certificate