Step-by-Step Guide: Enable SSO for iChemistry using ADFS (SAML2)

This guide is only available in English and explains how to configure Single Sign-On (SSO) between your company’s Active Directory Federation Services (ADFS) and iChemistry using the SAML 2.0 protocol.

1. Prerequisites

Before starting, please make sure you have:

• Access to your organization’s ADFS Management Console (administrator permissions required).
• The following iChemistry SSO configuration details:

2. Add a New Relying Party Trust

1. Open ADFS Management on your ADFS server.
2. In the Actions pane, click Add Relying Party Trust...
3. The Add Relying Party Trust Wizard will open.
4. Choose Claims aware and click Start.
5. Select Enter data about the relying party manually → click Next.
6. Enter a name, e.g. iChemistry SSO.
7. (Optional) Add a description like “Single Sign-On integration for iChemistry via SAML2”.
8. Click Next.

3. Configure Identifiers and Endpoints

Identifiers (Entity ID)

• Click Add...
• Enter the following value:
• iChemistrySSO

Endpoints

1. Under “Configure URL”:
   • Check Enable support for the SAML 2.0 WebSSO protocol.
   • In Relying party SAML 2.0 SSO service URL, enter:
   • https://ichemistry.intersolia.com/SingleSignOn/Login
2. Click Next.
3. Under Relying party trust identifier, make sure the following is added:
4. iChemistrySSO

Click Next, then Next again to skip multi-factor options (unless your policy requires it).

4. Choose Access Control Policy

Select one of the following options:

• Permit everyone — if all users in your organization should be able to access iChemistry.
• Or Permit specific group — to restrict access to a specific AD group (e.g., “iChemistry Users”).

Click Next and then Close to finish the wizard.

5. Add Claim Rules

After the trust is created, the wizard will prompt to open the Edit Claim Issuance Policy window.
If it doesn’t open automatically, right-click your new relying party trust → Edit Claim Issuance Policy.

Now add the following claim rules, in order:

Rule 1: Send LDAP Attributes as Claims

1. Click Add Rule…
2. Select Send LDAP Attributes as Claims.
3. Click Next.
4. Enter rule name:
   Send user attributes
5. Configure as follows:

If your AD doesn’t have Employee-Number, you can skip that here and add a constant value in the next step.

Click Finish.

Rule 2: Transform Constant Claims (Optional Defaults)

1. Click Add Rule…
2. Select Send Claims Using a Custom Rule.
3. Click Next.
4. Name it Add constant claims.
5. Copy-paste this rule text:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

 => issue(Type = "userRole", Value = "Read-only user"),

    issue(Type = "departmentId", Value = "SSO");

This ensures every user gets a default role (“Read-only user”) and department (“SSO”).
 These can later be updated manually in iChemistry.

Click Finish.

6. Verify Claim Output

Your final Claim Rules list should include:

1. Send user attributes
2. Add constant claims

All attributes must match exactly (case-sensitive):

7. Export Federation Metadata

1. In ADFS Management, expand Service → Endpoints → confirm /FederationMetadata/2007-06/FederationMetadata.xml exists.
2. Open your federation metadata URL in a browser, usually:
3. https://<your-adfs-domain>/FederationMetadata/2007-06/FederationMetadata.xml
4. Save the XML file and send it to your Intersolia contact.

8. Test and Verify

Once Intersolia confirms SSO is enabled:

1. Open the iChemistry login link (e.g. https://ichemistry.intersolia.com/main/returkraft).
2. You should be redirected to your ADFS login page.
3. After authentication, iChemistry will:
   • Create an account automatically (if none exists),
   • Assign it default permissions, and
   • Grant access.

9. Common Issues & Solutions

10. What Happens Next

After you send the Federation Metadata XML, Intersolia will complete configuration on the iChemistry side.
 Once finished, local logins for your domain will be disabled, and your users will authenticate via ADFS automatically.