There are two main parts to setting up AD FS 2.0 with Crowdicity.

First: AD FS 2.0 must be configured with certain rules and metadata provided by your Crowdicity community.

Second: Crowdicity must be given metadata from your AD FS 2.0 server so that various endpoints can be determined.

Note that the below instructions will need to be repeated twice: once for the desktop metadata and again for the mobile metadata.

In this article:

  • Setting up ADFS

  • Setting up Crowdicity for SAML2‐based login

  • Required assertions

  • Troubleshooting

  • Support


Setting up AD FS 2.0 / 3.0

You can retrieve the desktop metadata for your community here:
https://<your-community-URL-here>/saml/module.php/saml/sp/metadata.php/crowdsaml2

You can retrieve the mobile metadata for your community here- the URL depends on the region your community is hosted in:
UK: https://mobile.crowdicity.com/entityDescriptor.xml (link)
Australia: https://mobile.crowdicity.com.au/entityDescriptor.xml (link)
Ireland: https://mobile.crowdicity-ie.medallia.com/entityDescriptor.xml (link)
US: https://mobile.crowdicity-us1.medallia.com/entityDescriptor.xml (link)

Alternatively, the metadata can be downloaded by visiting your community, and going to the “Crowd Management” area. Once inside, Select “Settings” ­> “Authentication”. Scroll down to the SAMLv2 box, and choose “Get our metadata”.

In the popup window, click Click here to download SP metadata. Use this XML when configuring AD FS.

The following rules are also required for functioning with Crowdicity:

How to create the required rules

1. Create a rule to send LDAP attributes as claims with the following choices:

2. Create a rule to “Transform an Incoming Claim”

3. Set the incoming claim type to “E­Mail Address”, the “Outgoing claim type” to “Name ID” and the “Outgoing name ID format” to “Transient Identifier”


Setting up Crowdicity for SAML2‐based login


First, you'll need to collect your AD FS metadata from your server. The address is usually something like

https://<your-idp-url>/FederationMetadata/2007­-06/FederationMetadata.xml

but consult your documentation if this differs for your server.

Once you have the required metadata, follow the steps below:

1. From the Crowdicity Admin menu, select Community Settings then Authentication. On this screen, you can select the authentication methods your community will use, and the order that they are presented in.

The Crowdicity account login method can't be removed, however, it does not have to be the primary login method for your community. If you want SAMLv2 to appear first, you can choose the order in which each login method appears by clicking Order and selecting

2. Click Submit your metadata to pop up a new window, and then click Submit new metadata.


3. Paste your XML metadata into this box, and click submit. If the metadata is accepted, the screen will refresh and your endpoints will be listed, as in the example below.


4. Click Enable for the SAMLv2 option, and then to click Save at the bottom of the page.


Once this has been done, the Crowdicity login screen will present Organisation login as an option for users on the log in page:


Using this option will redirect users to your ADFS login screen and return them to Crowdicity upon a successful login.


Required assertions

Information about what assertions are required and the naming of them can be found here.


Troubleshooting

In most cases, if there is a problem with Single Sign On, Crowdicity will show an error page. The small text near the middle of the page will provide more details. Below are the most common errors.

1. Error: SimpleSAML_Error_Error: UNABLE TO VALIDATE SIGNATURE

Cause: This is caused by out of date or updated certificates.

Solution 1: Crowdicity updates certificates each year. To prevent having an out-of-date copy of Crowdicity’s certificate, we recommend you set your identity provider track our metadata via the URL rather than copying the XML directly. If that isn’t possible, you can re-download our metadata from the address specified in our set-up guide, and re-apply it.

Solution 2: If your certificate has changed, please retrieve an updated copy of your metadata and resubmit it to Crowdicity by following those steps in the set-up guide.

2. Error: sspmod_saml_Error: Responder

Cause: This is caused by an error on the Identity Provider. We’re unable to get any details on the error since it did not happen on our system.

Solution: Check the logs on your IdP for more detail.


Further Support

If you haven't found the answer you're looking for, please contact your Customer Support Manager or email us help.medallia.com with your community URL and the type of connection you're trying to establish.

Did this answer your question?