Active Directory Federation Services (ADFS) allows you to integrate Day.io Single Sign-On (SSO) with Microsoft Active Directory.
By configuring ADFS as the identity provider, employees can access Day.io using the same credentials as their Windows domain.
This configuration is done in the ADFS console and complemented with adjustments on the Day.io SSO screen.
-
Open the ADFS console
In the ADFS manager, select Relying Party Trusts.
-
Add a new relying party trust
In the Action panel, click Add Relying Party Trust.
-
Start the wizard
In the add trust wizard, select Claims aware and click Start.
-
Enter Day.io metadata
Copy the Audience metadata URL displayed on the SSO configuration screen in Day.io (more details in this article).
In ADFS, paste this URL in the Federation metadata address field and click Next.
-
Name the trust
Set a name for the relying party trust; the recommended default is api.oitchau.com.br.
-
Set authentication methods
Select the allowed authentication methods and the users/groups who will have access.
-
Finish creation
Proceed to the end of the wizard and click Finish.
-
Edit the claims issuance policy
In Action, click Edit Claim Issuance Policy.
-
Send LDAP attributes as claims
Select Send LDAP attributes as claims.
-
Create the claim rule
Set a name for the rule; choose the Attribute Store and map E‑mail.
Finish and apply the settings.
-
Set up mapping in Day.io
On the Day.io SSO screen, under Fields mapping, add the claim
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressas the mapping for the email field.Click Save in Day.io.
-
Finish
After completing the steps, all users with an email from the configured domain will be able to access Day.io using their Active Directory credentials.
Configuring ADFS (video):
Tips and troubleshooting
Use
api.oitchau.com.bras the default name to facilitate future maintenance.Always map at least the email attribute so that Day.io can recognize the user.
Make sure the ADFS certificate is up to date to avoid trust errors.
Best practices
Test the integration with a user account before making it available to everyone.
Document all configured URLs and claims.
Restrict access only to groups that should use Day.io.
Frequently Asked Questions
Do I need to add more claims besides email? Only email is required; other fields are optional and depend on your company's access policy.
What happens if the ADFS certificate expires? You need to update the certificate in the ADFS console and in Day.io to maintain the integration.
Can I have more than one Relying Party Trust for Day.io? It is not recommended. Keep only one active configuration to avoid conflicts.
Comments
0 comments
Article is closed for comments.