Single Sign-On (SSO)


Single Sign-On (e.g. LDAP, Shibboleth)

CivicReady can integrate with your Single Sign-On system including LDAP, OpenLDAP, Active Directory(AD), SAML, CAS, and Shibboleth. Please find instructions below on what we will need to complete the integration.

Please Note once connection is established you will need to be sure that a UserName is uploaded for all users if that is the attribute you are passing us for authentication.


To map the LDAP/AD authentication, we need:
  1. IP addresses enabled
  2. LDAP/AD connection details
  3. LDAP/AD account with read access
  4. Sample LDAP/AD entry.
CivicReady IP addresses to be Enabled:
Example of LDAP/AD Connection details:
Example 1:
CN=CivicReady Services,OU=Domain Users,DC=xxxxx,DC=local
Example 2:

IP: 2xx.xx.xx.xx:389 Username: CivicReady Password: xxxxx Base: DC=citylabs, DC=edu CN=Users CN Test case: citylabs\passw0rd

Whitelist CivicReady Emails

Please whitelist our email IP addresses found below:

CAS Setup

Can you please provide us with the CAS link and the test user/password for your CAS server so that we can test and implement.

We will be using this URL for connecting to your CAS. Please add/authorize this domain on your CAS server.  ( (civicplus and coded name are examples, you need the coded name for your organization we provide it during and after the implementation)

SAML Setup & Shibboleth

Please create a issuer for CivicReady at your end and the assertion consumer service URL must be ( and issuer title ( Also, provide us the IDP SSO URL and test account.

Please provide a test user including the user name and password.

-Configuring ADFS 2.0/3.0 to Communicate with SAML 2.0

ADFS Relying Party Configuration

  1. Open the ADFS Management console and select Relying Party Trusts.
  2. Select "Add Relying Party Trust…" from the top right corner of the window. (The add wizard appears.)
  3. Click Start to begin.
  4. Select "Enter data about relying party Manually"
  5. Give it a display name such as CivicReady and enter any notes you want.
  6. Select ADFS 3.0/2.0 Profile.
  7. You will be prompted to browse for a Certificate to encrypt and decrypt the claims. Please skip this step by pressing the Next.
  8. Do not enable any settings on the Configure URL.
  9. Enter the CivicReady Web site to which you connected as the Relying Party trust identifier. In this case use and click Add.
  10. Permit all users to access this relying party.
  11. Click Next and clear the Open the Claims when this finishes check box.
  12. Close this page. The new relying party trust appears in the window.
  13. Right-click on the relying party trust and select Properties.
  14. Browse to the Advanced tab and set the Secure hash algorithm to SHA-1.
  15. Browse to the Endpoints tab and add a SAML Assertion Consumer with a Post binding and a URL of

ADFS Relying Party Claim Rules

Edit the Claim rules to enable proper communication with CivicReady System.

  1. Right-click on the relying party trust and select Edit Claim Rules….
  2. On the Issuance Transform Rules tab select Add Rules….
  3. Select Send LDAP Attribute as Claims as the claim rule template to use.
  4. Give the claim a name such as Get LDAP Attributes.
  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
  6. Select Finish.
  7. Select Add Rule….
  8. Select Transform an Incoming Claim as the claim rule template to use.
  9. Give it a name such as Email to Name ID. (Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID (this is requested in CivicReady policy urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and the Outgoing name ID format is Email. Pass through all claim values and click Finish.)
  10. If you edit the existing rule and click View Rule Language…, they should match the following:

Rule #1:

c:[Type == "", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory",

types = (""),

query = ";mail;{0}", param = c.Value); 

Rule #2:

c:[Type == ""]

 => issue(Type = "",

Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,


= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Single Logout Support

To create a SAML logout endpoint in your RP trust configuration in ADFS:

  1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.
  2. Under the Endpoints tab, click Add.
  3. Configure the settings:
  4. Endpoint Type: SAML Logout
  5. Binding: POST
  6. URL:

Single Logout Support

To create a SAML logout endpoint in your RP trust configuration in ADFS:

  1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.
  2. Under the Endpoints tab, click Add.
  3. Configure the settings:
    • Endpoint Type: SAML Logout
    • Binding: POST
    • URL:

Once you are done please provide us:

the metadata URL(for example):

SSO URL(for example):

the LDAP Attribute/Outgoing Claim Type.

Also please provide CivicReady with a test account including the username and password in order for us to verify the implementation.


I'd Like to Request an Enhancement

0 out of 0 found this helpful