- Open the AD FS management tool on your Windows server.
- Go to Trust Relationships -> Relying Party Trusts.
- In the Actions tab, click Add Relying Party Trust.
- Click Start.
- In the Select Data Source screen, select the last option, Enter Data About the Party Manually, and move on to the next page.
- Enter the preferred display name (e.g., Grammarly) and continue to the next screen.
- Choose the AD FS profile option and click Next.
- Leave the certificate settings at their defaults and proceed to the next step.
- Check the box labeled Enable Support for the SAML 2.0 WebSSO protocol and enter https://sso.grammarly.com/saml/assertion in the Relying party SAML 2.0 SSO service URL field.
- On the next screen, enter https://sso.grammarly.com/saml/metadata in the Relying party trust identifier field, click Add, and move on to the next page.
- Configure multi-factor authentication for Grammarly (optional).
- On the following page, choose Permit all users to access this relying party.
- Next, review the chosen settings and move to the final screen to close the wizard. By default, this action will open the Edit Claim Rules window.
- Click Add Rule and choose Send LDAP Attributes as Claims as a template and configure the rule as follows:
- E-Mail-Addresses -> EmailAddress
- Given-Name -> FirstName
- Surname -> LastName
- E-Mail-Addresses -> E-Mail Address
- Click Finish to save the rule.
- Click Add Rule and select Transform an Incoming Claim as the template.
- On the next page, configure as shown below:
- Incoming claim type -> E-Mail Address
- Outgoing claim type -> Name ID
- Outgoing name ID format -> Email
- Click Finish to save the second rule and close the Edit Claim Rules window by clicking OK.
Note: User management will be handled in the Active Directory. All Grammarly users should have the following fields filled out: First name, Last name, E-mail. For more information, please see this guide from Microsoft.
Now that the Grammarly relying party trust is active, you will need to pass the following three parameters to Grammarly in order to activate SSO in your account:
- Identity Provider Issuer
- SAML 2.0 Endpoint (HTTP)
- X.509 Certificate
The first two values can be determined depending on your domain:
- Identity Provider Issuer = http://yourdomain.com/adfs/services/trust
- SAML 2.0 Endpoint (HTTP) = https://yourdomain.com/adfs/ls
To locate the X.509 Certificate, please follow these steps:
- In the AD FS management tool go to Service -> Certificates and open your primary token-signing certificate.
Note: Make sure that the certificate has a private key associated with it. For more information, please see this article from Microsoft.
- Go to the Details tab and click Copy to File.
- In the window that opens, click Next and choose No, do not export the private key.
- On the next page, choose Base-64 encoded X.509 option and click Next.
- Enter the preferred file name and save location, and click Finish on the next page to complete the export.
- Open the exported file in a text editor and pass the contents to Grammarly along with the two parameters mentioned above. For more information on how to do this, please see step 2 of this article.