Benchling supports single sign-on for Active Directory users by integrating with Microsoft Active Directory Federation Services (ADFS). ADFS is a separate service provided by Microsoft that allows users to perform SAML login using Active Directory credentials.
The below instructions assume you have ADFS already set up.
Open the ADFS Management application, select the Relying Party Trusts folder, and select Actions > Add a new Standard Relying Party Trust to open the wizard and create a Relying Party Trust:
- Select Data Source: Choose "enter data about the relying party manually"
- Choose Profile: Choose "AD FS profile" (not "AD FS 1.0 and 1.1 profile")
- Configure Certificate: You do not need to specify a token encryption certificate
Configure URL: Choose the SAML 2.0 option and set the SSO service URL to
Configure Identifiers: Set this to
- Choose Issuance Authorization Rules: If you'd like all users to be able to access, choose "Permit all users to access this relying party" - otherwise, choose "Deny all users access to this relying part" (later you'll need to create issuance authorization rules to enable access).
At the end of the wizard, you'll be able to check an option to open the "Edit Claim Rules" dialog.
Add a new rule:
- Choose Rule Type: Send LDAP Attributes as Claims
Configure Claim Rule: Give the rule a name, and choose Active Directory for the attribute store. Configure the following mappings:
Add a second rule:
- Choose Rule Type: Transform an Incoming Claim
- Configure Claim Rule: For Incoming claim type choose E-Mail Address, for Outgoing claim type choose Name ID, and for Outgoing name ID format choose Email. Make sure Pass through all claim values is selected.
Advanced - identifying via
sAMAccountName : the above instructions identify a user based on their email. If user emails can change, you can identify based on their
sAMAccountName instead. This is an identifier within Active Directory that looks like an email but is set for all users. To do this, configure the first rule to also send
sAMAccount as the
Name ID instead.
Return to SAML Single Sign-On and continue from Step 2.