Skip to main content

Microsoft AD FS

Step-by-step guide to configure single sign-on with Microsoft ADFS as the identity provider

1. Choose identity provider

Choose Microsoft AD FS as your identity provider to begin the configuration in admin portal.

Choose Identity Provider

Choose Identity Provider

Download Metadata XML file so that you can configure AD FS Server going forward.

Download Metadata XML

Download Metadata XML

2. Open AD FS management console

Search for 'AD FS Management' in the start menu and open it.

3. Create relying party trust

In the left navigation pane, expand 'ADFS'

  • Right-click 'Relying Party Trusts'
  • Select 'Add Relying Party Trust'

AD FS Management Console

AD FS Management Console

  • Select 'Claims aware' as the trust type and click 'Next'

4. Configure federation metadata file

Choose 'Import data about the relying party from a file'

  • Click 'Browse' and select the Metadata XML file you downloaded earlier
  • Click 'Next' to proceed

Select Data Source

Select Data Source

5. Set display name

Enter a descriptive name for the application you are integrating with (e.g., "ExampleApp") and click 'Next' to continue

Specify Display Name

Specify Display Name

6. Configure access control

Select an appropriate access control policy

  • For this guide, select 'Permit everyone'
  • Click 'Next' to proceed

7. Review trust configuration

Verify the following settings:

  • Monitoring configuration
  • Endpoints
  • Encryption settings
  • Click 'Next' to continue

Review Trust Configuration

Review Trust Configuration

The wizard will complete with the 'Claim Issuance Policy' option automatically selected.

Edit Claim Issuance Policy

Edit Claim Issuance Policy

8. Create claim rules

Click 'Add Rule' to create a new claim rule

  • Select 'Send LDAP Attributes as Claims' template

Create Claim Rule

Create Claim Rule

Configure Attribute Mapping

Configure LDAP Attribute Mapping

9. Map user attributes

Enter a descriptive rule name (e.g., "Example App")

  • Configure the following attribute mappings:
    • E-Mail-Addresses → E-Mail Address
    • Given-Name → Given Name
    • Surname → Surname
    • User-Principal-Name → Name ID
  • Click 'OK' to complete the mapping and then 'Apply' changes

Map User Attributes

Map User Attributes

10. Complete admin portal configuration

Navigate to Identity Provider Configuration in the Admin Portal

  • Select "Configure Manually"
  • Enter these required details:
    • Microsoft AD FS Identifier: http://<YOUR_AD_FS_SERVER_DOMAIN>/adfs/services/trust
    • Login URL: http://<YOUR_AD_FS_SERVER_DOMAIN>/adfs/ls
    • Certificate:
      1. Access https://<YOUR_AD_FS_SERVER_DOMAIN>/FederationMetadata/2007-06/FederationMetadata.xml
      2. Locate the text after the first X509Certificate tag
      3. Copy and paste this certificate into the "Certificate" field
  • Click "Update" to save the configuration

Update Configuration

Update Configuration

The above endpoints are AD FS endpoints. You can find them listed in AD FS Console > Service > Endpoints > Tokens and Metadata sections

11. Test connection

Click on Test Connection. If everything is done correctly, you will see a Success response as shown below.

If the connection fails, you'll see an error, the reason for the error, and a way to solve that error right on the screen.

Test SSO configuration

Test SSO configuration

12. Enable connection

Click on Enable Connection. This will let all your selected users login to the new application via your AD FS SSO.

Enable SSO Connection

Enable SSO Connection


Is this page helpful? Yes No