Sign in with SSO is a feature available for customers on Enterprise / Custom Plans.
In order to set up your account for AD FS SSO, please follow these steps:
Note: Different versions of Windows Server and AD FS might differ slightly in their UI
- Open the AD FS console, click "Add Relying Party Trust…" in the Actions pane, choose “Claims aware” and click Start in the wizard.
- Select "Enter data about the relying party manually", click Next.
- Enter Cloudinary as a display name, click Next.
- Select "AD FS profile", click Next.
- You won't need a token encryption cert, click Next.
- Check the box "Enable support for the SAML 2.0 WebSSO protocol",
- Relying party SAML 2.0 SSO service URL box should be https://cloudinary.com/saml/consume - click Next.
- Enter your Cloudinary cloud name (available on https://cloudinary.com/console Dashboard) in the "Relying party trust identifier field", and click Next.
- Configure multi-factor authentication or skip if not required
- Select which users you permit to access Cloudinary, click Next. Please note that Cloudinary does not auto-provision users by default, so users that were not defined in the Cloudinary account will not have access even if you permit all users to access this app.
- Review, click Next, and Close
- Click “Edit Claim Issuance Policy…”
- Choose the Issuance Transform Rules tab and click "Add Rule…".
- Select Send LDAP Attributes as Claims and click Next.
- Enter a Claim rule name, such as Get Attributes, then set the Attribute store to Active Directory, type in E-Mail-Addresses for the first LDAP attribute and set its outgoing type to E-Mail Address. Click Finish when you are done.
- Click Add Rule… on the Issuance Transform Rules tab again.
- Select Transform an Incoming Claim and click Next.
- Enter a Claim rule name, such as Name ID Transform, set Incoming claim type to E-Mail Address, set Outgoing claim type to Name ID, and set Outgoing name ID format to Email. Select Pass through all claim values and click Finish.
- Click OK on the Edit Claim Rules dialog.
- Go to Trust Relationships > Relying Party Trusts and open the Properties dialog for Cloudinary. Select the Advanced tab, then change the secure hash algorithm to SHA-1 and click OK.
- This step is required only when Forms Authentication is not enabled. Note that enabling Forms Authentication will apply to all sites configured.
- Go to Authentication Policies and click Edit under Primary Authentication Global Settings.
- Under Intranet, check Forms Authentication and click OK. Alternatively, you can use forms as a fallback authentication method for Intranet using the following PowerShell command:
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider @('WindowsAuthentication','FormsAuthentication')
- Obtain your metadata URL. On the screen that appears, under the 'Sign On' tab, there should be a link 'Identity Provider Metadata'. Copy that link (it should look like:
- Log in to your Cloudinary account and under the Users tab in the Settings page (https://cloudinary.com/console/settings/users) you can paste in the metadata URL and save your changes.