Configuring SSO authentication with AD FS
Introduced in 2021.1
This article explains how to integrate Alloy Navigator Express with Microsoft's Active Directory Federation Service (AD FS) for single sign-on, so your users can sign in to Alloy Navigator Express with their AD domain credentials.
PREVIOUS STEP: Before you begin, see Managing single sign-on (SSO) providers for basic information and prerequisites.
First, you need to create an integration for your Alloy Navigator Express apps in
You will need this information for creating OIDC app integration. Other parameters are set by default, you can change them as required.
Sign-in redirect URIs
The sign-in redirect URI is the location where your
Alloy Navigator Express web apps (the Web App and Self Service Portal):
Alloy Navigator Express mobile apps (Alloy Navigator and Alloy Inventory Scanner):
Generate a shared secret
Copy and save the secret! It will not be available after you complete the registration.
Note that a single "Server application" group serves all your Alloy Navigator Express web apps, as shown in the screenshot below. Add a redirect URI for every Alloy Navigator Express web app instance you want to use SSO.
Configuring SSO for Alloy Navigator Express mobile apps requires creating a separate "Native application" group, as the screenshot below shows.
You will also need to add a "Web API" group, as shown below.
Note the Client Identifier and Secret values. You will use them later in the Alloy Navigator Express Settings App.
Client ID - the OpenID Connect client ID provided by
Client Secret - the client secret for the Alloy Navigator Express app provided by
Full Name Claim - the claim where
AD FSstores user full names. Alloy Navigator Express needs that claim for creating Person records for self-registering Self Service Portal customers. The default value is
User Name Claim - the claim where
AD FSstores usernames (email addresses); those usernames must match usernames (email addresses) in Alloy Navigator Express accounts. The default value is .
unp, for "User Principal Name."
To add an SSO Provider record for
In Alloy Navigator Express Settings, go to Accounts and Roles > SSO Providers and select New >
ADFSfrom the Module menu. The AD FSdialog box opens.
In the Name field,
keep the default name or specify a different one. Alloy Navigator Express users will see that name in their sign-in dialog as Sign in with [Name].
In the ADFS Domain field, enter the
AD FSdomain name for your org. It can look like
In the Authority field,
review the service endpoint URL path. Note that it must start with.
https://, because secured protocol is requited
Provide the credentials of your Alloy web apps from
Client ID - the unique identifier that Alloy apps will use when requesting an access token from
AD FS. This is the "Client Identifier" value that the AD FS configuration provides.
Client Secret - the secret string that the Alloy apps will use to prove its identity when requesting an access token from
AD FS. This is the "shared secret" that you copied and saved before.
When users sign in, their user information from
AD FSbecomes available to Alloy Navigator Express. By default, the claims that carry information about the user include the user's email address, name, and preferred username.
Typically, you can keep the default values in the Full Name Claim and the User Name Claim fields.
Click OK to save your record.