Skip to content

Symbio SSO

Worked Example: Symbio & AD FS

The Microsoft ActiveDirectory Federation Services provide a SAML 2.0 Identity Provider (IdP) implementation which is backed by a company domain's Active Directory. The following example describes setting up Symbio as a Service Provider (SP) in and for AD FS.

AD FS and IdP will be used interchangeably, the same holds true for Symbio and SP.

Preparation of Active Directory

With respect to "User & Rights Management Considerations" start by creating appropriate UNIVERSAL (or at least global) user groups in ActiveDirectory (AD). AD FS will not transmit AD local user groups as group claims. Depending on your requirements you may have different user groups to create. The following is just an example.

  • SymbioViewers will be able to browse the Symbio database
  • SymbioAuthors will be able to edit parts of the Symbio database
  • SymbioApprovers will be allowed to approve elements in the release cycle
  • SymbioAnalysts will be able to run analysis extensions in the Symbio database
  • SymbioArchitects will be able to manage the architecture of elements in the Symbio database
  • SymbioAdmins will be able to administer the Symbio database (e.g. setting up user groups and permission sets)
  • SymbioViewers_HR will be able to browse HR processes
  • SymbioAuthors_HR will be able to edit HR processes
  • SymbioApprovers_HR will be able to approve HR processes
  • SymbioArchitects_HR will be able to manage HR architecture tasks

Next assign users to these user groups.

Configuration of Symbio in AD FS

Before actually creating Symbio as a relying parts trust in AD FS, decide which EntityID you will give to Symbio and under which URL Symbio will be available. For this example we use the following values:

  • Symbio EntityID:
  • Symbio URL:

In this case Symbio is available via a virtual subdirectory "/symbio-test/" and not directly on the subdomain root level.

Configure Relying Party Trust

Open the AD FS Management App and right-click on "AD FS/Trust Relationships/Relying Party Trusts", select "Add Relying Party Trust...", choose "Enter data about the relying party manually":

  • Display name: Symbio Test
  • Choose AD FS profile (not 1.0 nor 1.1)
  • Don't configure a certificate
  • Enable support for the SAML 2.0 WebSSO protocol
  • Relying party SAML 2.0 SSO service URL:
  • Relying party trust identifier:
  • Don't configure multi-factor authentication settings
  • Permit all users to access this relying party

Make sure that the configured Endpoints are POST and that Advanced is set to SHA-256 secure hash algorithm.

Configure Claim Rules

Add the following claim rules:

  1. Group Membership:
  2. Send Claims Using a Custom Rule
  3. Claim rule name: Group Membership
  4. Custom rule: c:[Type == "", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = (""), query = ";tokenGroups;{0}", param = c.Value);
  5. Group Filter:
  6. Send Claims Using a Custom Rule
  7. Claim rule name: Group Filter
  8. Custom rule: c:[Type == "", Value =~ "(?i)symbio"] => issue(claim = c);
  9. Basic Attributes:
  10. Send LDAP Attributes as Claims
  11. Claim rule name: Basic Attributes
  12. Attribute Store: Active Directory
  13. User-Principal-Name → UPN
  14. Surname → Surname
  15. Given-Name → Given Name
  16. E-Mail-Addresses → E-Mail-Address

Configuration of AD FS in Symbio

Download the Metadata XML file from your AD FS. If your AD FS resides on then the metadata should be available at

The medatata file is a text file containing XML, you can read it using Notepad/Editor.

Usually it starts with the tag which has an "entityID" attribute whose value is the IdP EntityID we need to configure Symbio.

Near the end you will find the elements, look for the one with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", its "Location" attribute value will be needed to configure Symbio.

Here are the values from the example metadata XML file:

  • entityID:
  • Location:

Setting up a new SAML Authentication Provider in Symbio

Login as an administrator to the database or collection for which you want to activate SAML login. For this example we will set up SAML login for database "GreenField" in collection "Testing", the corresponding URL is

Switch to the Admin section and there to Authentication Providers. Make sure that the root node is set to "Use local" and then add a new SAML Authentication Provider with ID "ADFS". Select it and adjust its details:

  • Translate (if you wish) - the ID stays "ADFS"
  • English: SSO Login
  • German: SSO Anmeldung
  • Standard role: Viewer
  • Group management: Yes
  • Symbio EntityID:
  • Symbio Host URL:
  • IdP EntityID:
  • IdP Metadata: (upload the XML file or link to it, see below)
  • IdP SSO service URL:
  • Enabled: Yes
  • Visible: Yes


If you like to hide a specific login, e.g. for external non-AD users, by switching "Visible" from Yes to No, you can still reach the site by using the auth provider login explicitely. Example: where "SamlLegacy" is your SamlAuthProviderId in Symbio.

Symbio on Premise

If your Symbio web server can reach your AD FS server, consider adding the Metadata XML file as a URL (see above) instead of downloading it from AD FS and then uploading it to Symbio. That way changes to the metadata (e.g. a new certficate) don't require manual updates to Symbio.

Symbio in Cloud

Don't add the Metadata XML file as an URL. The cloud server will most likely have no access to the AD FS server which runs on your internal network; Symbio won't be able to access the metadata and therefore will fail on every SAML login attempt.

Configure SAML User Groups and Permission Sets

The new provider is now live and usable. Currently all new users logging in via SAML are made Viewers. We need to set up user groups and permission sets for details rights management:

  1. Switch to the Admin area of your database/collection
  2. Select Permission Sets and create the following sets:
  3. SymbioViewers: ShowElement, OpenElement
  4. SymbioAuthors: ShowElement, OpenElement, EditElement, NewElement, DeleteElement
  5. SymbioApprovers: ShowElement, OpenElement, ApproveElement
  6. SymbioViewers_HR: ShowElement, OpenElement
  7. SymbioAuthors_HR: ShowElement, OpenElement, EditElement, NewElement, DeleteElement
  8. SymbioApprovers_HR: ShowElement, OpenElement, ApproveElement
  9. Switch back to the Admin area
  10. Select User Groups, create the following SAML user groups, and assign them the listed permission sets / application roles :
  11. SymbioViewers: SymbioViewers / Viewer
  12. SymbioAuthors: SymbioAuthors / Author
  13. SymbioApprovers: SymbioApprovers / Approver
  14. SymbioAnalysts: SymbioAuthors / Analyst
  15. SymbioArchitects: SymbioAuthors, SymbioApprovers / Architect
  16. SymbioAdmins: SymbioAuthors, SymbioApprovers, SymbioApprovers_HR / Administrator
  17. SymbioViewers_HR: SymbioViewers_HR / Viewer
  18. SymbioAuthors_HR: SymbioAuthors_HR / Author
  19. SymbioApprovers_HR: SymbioApprovers_HR / Approver
  20. SymbioArchitects_H: SymbioAuthors_HR, SymbioApprovers_HR / Approver

Finally, you can set up permissions for your processes and repositories.

Now a user logging in via SAML will receive all rights based on his AD group membership. Examples:

  • A user not member of any Symbio* user group will be assigned no permission sets, no user groups, and the default role of Viewer
  • A user who is a member of SymbioAdmins and SymbioAuthors will get the following assignments:
  • SAML user groups: SymbioAuthors, SymbioAdmins
  • Permission sets: SymbioAuthors, SymbioApprovers, SymbioApprovers_HR
  • Role: Administrator