Skip to content

Microsoft AD FS

This guide walks you through configuring Single Sign-On (SSO) with Microsoft Active Directory Federation Services (AD FS) as your Identity Provider.

To successfully set up AD FS SAML integration, you’ll need:

  • Elevated access to your AD FS Management Console
  • Access to the Admin Portal of the application you’re integrating Microsoft AD FS with
  1. Choose Microsoft AD FS as your identity provider

    Download Metadata XML file so that you can configure AD FS Server going forward

    • Launch Server Manager
    • Click ‘Tools’ in the top menu
    • Select ‘AD FS Management’
    • In the left navigation pane, expand ‘Trust Relationships’
    • Right-click ‘Relying Party Trusts’
    • Select ‘Add Relying Party Trust’
    • Click ‘Start’ to begin the configuration

    • Select ‘Claims aware’ as the trust type
    • Choose ‘Enter data about the relying party manually’
    • Click ‘Next’ to proceed

    Import the Metadata XML file that you downloaded earlier

    • Enter a descriptive name for your application (e.g., “ExampleApp”)
    • Click ‘Next’ to continue

    • Select an appropriate access control policy
    • For purposes of this guide, select ‘Permit everyone’
    • Click ‘Next’ to proceed
    • Verify the following settings:
      • Monitoring configuration
      • Endpoints
      • Encryption settings
    • Click ‘Next’ to continue

    The wizard will complete with the ‘Edit Claim Issuance Policy’ option automatically selected

    • Click ‘Add Rule’ to create a new claim rule
    • Select ‘Send LDAP Attributes as Claims’ template

    • Enter a descriptive rule name (e.g., “Example App”)
    • Configure the following attribute mappings:
      • E-Mail-Addresses → E-Mail Address
      • Given-Name → Given Name
      • Surname → Surname
      • User-Principal-Name → Name ID
    • Click ‘Finish’ to complete the mapping

    • Navigate to Identity Provider Configuration in the Admin Portal
    • Select “Configure Manually”
    • The above endpoints are AD FS endpoints. You can find them listed in AD FS Console > Service > Endpoints > Tokens and Metadata sections. Enter these required details:
      • Microsoft AD FS Identifier: http://<your-adfs-server-domain>/adfs/services/trust
      • Login URL: http://<your-adfs-server-domain>/adfs/ls
      • Certificate:
        1. Access Federation Metadata URL
        2. Locate the text after the first X509Certificate tag
        3. Copy and paste this certificate into the “Certificate” field
    • Click “Update” to save the configuration

    • In the Admin Portal, click “Test Connection”
    • You will be redirected to the AD FS login page
    • Enter your AD FS credentials
    • Verify successful redirection back to the Admin Portal with the correct user attributes

    • Click on Enable Connection
    • This will let all your selected users login to the new application via your AD FS SSO