Configuring ADFS with Tracker for SAML SSO

This article will assist customers who have ADFS as their IdP so that they can configure an application for Tracker with the required claim rules, to enable SAML Single-Sign-On with Tracker.

Tracker currently offers SAML SSO to customers who subscribe to an Enterprise plan. SSO and other Enterprise features are not currently available as part of the 30 Day Trial, Free, Startup, or Standard plans at this time.

For more, please see Using SAML SSO with Tracker

In the Server Manager:

Click Tools menu, then select AD FS Management.

In the AD FS Manager:

  1. Expand Trust Relationships on the left, then select Relying Party Trusts.
  2. Under Relying Party Trusts menu on the right, select Add Relying Party Trust…

  1. You’ll now be in the Add Relying Party Trust Wizard.

Add Relying Party Trust

  1. Click Start on the Welcome step.

  1. On the Select Data Source step, leave the Import data about the relying party published online or on a local network selected. Then in the Federation metadata address (host name or URL) field, enter the following: https://www.pivotaltracker.com/auth/saml/metadata. Afterwards, click Next.

  1. On the Specify Display Name step, type in “Pivotal Tracker”, then click Next.

  1. On the next step, you can choose whether to Configure Multi-Factor Authentication - click Next when done.

  1. On the next step you can choose to establish Issuance Authorization Rules - click Next when done.

  1. On the Ready to Add Trust step, leave https://www.pivotaltracker.com/auth/saml/metadata in the Relying party’s federation metadata URL: field, then click Next.

  1. On the Finish step, leave the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes box checked, then click Close.

  1. The Edit Claim Rules for Pivotal Tracker wizard should open by default.

Create Claim Rules for Pivotal Tracker

Defining required attributes

  1. In the Edit Claim Rules for Pivotal Tracker wizard, click Add Rule.

  1. In the Choose Rule Type step, select Send LDAP Attributes as Claims from the Claim rule template drop-down. Click Next.

  1. In the Configure Claim Rule step, we’ll define the custom user attributes that Tracker is expecting. Under Claim rule name, name them something like “Required attributes”, or whatever you deem appropriate. Under Attribute store drop-down, choose Active Directory.

  1. In the Mapping of LDAP attributes to outgoing claim types fields, choose the below LDAP Attributes and enter their corresponding Outgoing Claim Types. When done, click Finish.

- E-Mail-Addresses → `email`
- Surname → `last_name`
- Given-Name → `first_name`

Make a Name ID that’s persistent and will never change - here’s one way to do it:

  1. Start by adding another claim rule for Pivotal Tracker. In the Choose Rule Type step, select Send Claims Using a Custom Rule from the Claim rule template drop-down. Click Next.

  1. In the Configure Claim Rule step, name the claim rule (for example, “Persistent ID”), then enter the following into the Custom rule field and click Finish:
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(store = "_OpaqueIdStore", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);
    

  1. Add an additional claim rule, name it (for example, “Persistent ID to Name ID”), then enter the following into the Custom rule field and click Finish:
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
    

  1. You should now be ready to test IdP and SP initiated login for Tracker.
Previous
Using SAML SSO with Tracker
Next
SCIM provisioning (Okta)