Microsoft AD FS

Step-by-step guide to configure Single Sign-on with Microsoft Active Directory Federation Services (AD FS) as your Identity Provider.

1. Choose Identity Provider

Choose Microsoft AD FS as your identity provider to begin the configuration in admin portal.

Choose Identity Provider

Download Metadata XML file so that you can configure AD FS Server going forward.

Download Metadata XML

2. Open AD FS Management Console

Search for 'AD FS Management' in the start menu and open it.

3. Create Relying Party Trust

In the left navigation pane, expand 'ADFS'

• Right-click 'Relying Party Trusts'
• Select 'Add Relying Party Trust'

AD FS Management Console

• Select 'Claims aware' as the trust type and click 'Next'

4. Configure Federation Metadata File

Choose 'Import data about the relying party from a file'

• Click 'Browse' and select the Metadata XML file you downloaded earlier
• Click 'Next' to proceed

Select Data Source

5. Set Display Name

Enter a descriptive name for the application you are integrating with (e.g., "ExampleApp") and click 'Next' to continue

Specify Display Name

6. Configure Access Control

Select an appropriate access control policy

• For this guide, select 'Permit everyone'
• Click 'Next' to proceed

7. Review Trust Configuration

Verify the following settings:

• Monitoring configuration
• Endpoints
• Encryption settings
• Click 'Next' to continue

Review Trust Configuration

The wizard will complete with the 'Claim Issuance Policy' option automatically selected.

Edit Claim Issuance Policy

8. Create Claim Rules

Click 'Add Rule' to create a new claim rule

• Select 'Send LDAP Attributes as Claims' template

Create Claim Rule

Configure LDAP Attribute Mapping

9. Map User Attributes

Enter a descriptive rule name (e.g., "Example App")

• Configure the following attribute mappings:
  • E-Mail-Addresses → E-Mail Address
  • Given-Name → Given Name
  • Surname → Surname
  • User-Principal-Name → Name ID
• Click 'OK' to complete the mapping and then 'Apply' changes

Map User Attributes

10. Complete Admin Portal Configuration

Navigate to Identity Provider Configuration in the Admin Portal

• Select "Configure Manually"
• Enter these required details:
  • Microsoft AD FS Identifier: http://<YOUR_AD_FS_SERVER_DOMAIN>/adfs/services/trust
  • Login URL: http://<YOUR_AD_FS_SERVER_DOMAIN>/adfs/ls
  • Certificate:
    1. Access https://<YOUR_AD_FS_SERVER_DOMAIN>/FederationMetadata/2007-06/FederationMetadata.xml
    2. Locate the text after the first X509Certificate tag
    3. Copy and paste this certificate into the "Certificate" field
• Click "Update" to save the configuration

Update Configuration

The above endpoints are AD FS endpoints. You can find them listed in AD FS Console > Service > Endpoints > Tokens and Metadata sections

11. Test the Integration

In the Admin Portal, click "Test Connection"

• You will be redirected to the AD FS login page
• Enter your AD FS credentials
• Verify successful redirection back to the Admin Portal with the correct user attributes

Test Integration

Verification

After completing the configuration, test the SSO integration by:

1. Logging out of your application
2. Attempting to log in using the SSO option
3. Verifying you're redirected to AD FS and can authenticate successfully