Skip to content
Scalekit Docs

Microsoft AD FS

This guide walks you through configuring Single Sign-On (SSO) with Microsoft Active Directory Federation Services (AD FS) as your Identity Provider.

Before you begin

Section titled “Before you begin”

To successfully set up AD FS SAML integration, you’ll need:

  • Elevated access to your AD FS Management Console
  • Access to the Admin Portal of the application you’re integrating Microsoft AD FS with

Configuration steps

Section titled “Configuration steps”

  1. Begin the configuration

    Section titled “Begin the configuration”

    Choose Microsoft AD FS as your identity provider

    Download Metadata XML file so that you can configure AD FS Server going forward

  2. Open AD FS Management Console

    Section titled “Open AD FS Management Console”
    • Launch Server Manager
    • Click ‘Tools’ in the top menu
    • Select ‘AD FS Management’

  3. Create a Relying Party Trust

    Section titled “Create a Relying Party Trust”
    • In the left navigation pane, expand ‘Trust Relationships’
    • Right-click ‘Relying Party Trusts’
    • Select ‘Add Relying Party Trust’
    • Click ‘Start’ to begin the configuration

  4. Configure Trust Settings

    Section titled “Configure Trust Settings”
    • Select ‘Claims aware’ as the trust type
    • Choose ‘Enter data about the relying party manually’
    • Click ‘Next’ to proceed

    Import the Metadata XML file that you downloaded earlier

  5. Set Display Name

    Section titled “Set Display Name”
    • Enter a descriptive name for your application (e.g., “ExampleApp”)
    • Click ‘Next’ to continue

  6. Configure Access Control

    Section titled “Configure Access Control”
    • Select an appropriate access control policy
    • For purposes of this guide, select ‘Permit everyone’
    • Click ‘Next’ to proceed

  7. Review Trust Configuration

    Section titled “Review Trust Configuration”
    • Verify the following settings:
      • Monitoring configuration
      • Endpoints
      • Encryption settings
    • Click ‘Next’ to continue

    The wizard will complete with the ‘Edit Claim Issuance Policy’ option automatically selected

  8. Create Claim Rules

    Section titled “Create Claim Rules”
    • Click ‘Add Rule’ to create a new claim rule
    • Select ‘Send LDAP Attributes as Claims’ template

  9. Map User Attributes

    Section titled “Map User Attributes”
    • Enter a descriptive rule name (e.g., “Example App”)
    • Configure the following attribute mappings:
      • E-Mail-Addresses → E-Mail Address
      • Given-Name → Given Name
      • Surname → Surname
      • User-Principal-Name → Name ID
    • Click ‘Finish’ to complete the mapping

  10. Complete Admin Portal Configuration

    Section titled “Complete Admin Portal Configuration”
    • Navigate to Identity Provider Configuration in the Admin Portal
    • Select “Configure Manually”
    • The above endpoints are AD FS endpoints. You can find them listed in AD FS Console > Service > Endpoints > Tokens and Metadata sections. Enter these required details:
      • Microsoft AD FS Identifier: http://<your-adfs-server-domain>/adfs/services/trust
      • Login URL: http://<your-adfs-server-domain>/adfs/ls
      • Certificate:
        1. Access Federation Metadata URL
        2. Locate the text after the first X509Certificate tag
        3. Copy and paste this certificate into the “Certificate” field
    • Click “Update” to save the configuration

  11. Test the Integration

    Section titled “Test the Integration”
    • In the Admin Portal, click “Test Connection”
    • You will be redirected to the AD FS login page
    • Enter your AD FS credentials
    • Verify successful redirection back to the Admin Portal with the correct user attributes

  12. Enable Connection

    Section titled “Enable Connection”
    • Click on Enable Connection
    • This will let all your selected users login to the new application via your AD FS SSO