Microsoft AD FS

Step-by-step guide to configure single sign-on with Microsoft ADFS as the identity provider

This guide walks you through configuring Microsoft AD FS as your SAML identity provider for the application you are onboarding, enabling secure single sign-on for your users. You'll learn how to set up an enterprise application, configure SAML settings to the host application. By following these steps, your users will be able to seamlessly authenticate using their Microsoft AD FS credentials.

1. Choose identity provider

Choose Microsoft AD FS as your identity provider to begin the configuration in admin portal.

Download Metadata XML file so that you can configure AD FS Server going forward.

2. Open AD FS management console

Search for 'AD FS Management' in the start menu and open it.

3. Create relying party trust

In the left navigation pane, expand 'ADFS'

Right-click 'Relying Party Trusts'
Select 'Add Relying Party Trust'

Select 'Claims aware' as the trust type and click 'Next'

4. Configure federation metadata file

Choose 'Import data about the relying party from a file'

Click 'Browse' and select the Metadata XML file you downloaded earlier
Click 'Next' to proceed

5. Set display name

Enter a descriptive name for the application you are integrating with (e.g., "ExampleApp") and click 'Next' to continue

6. Configure access control

Select an appropriate access control policy

For this guide, select 'Permit everyone'
Click 'Next' to proceed

7. Review trust configuration

Verify the following settings:

Monitoring configuration
Endpoints
Encryption settings
Click 'Next' to continue

The wizard will complete with the 'Claim Issuance Policy' option automatically selected.

8. Create claim rules

Click 'Add Rule' to create a new claim rule

Select 'Send LDAP Attributes as Claims' template

Configure Attribute Mapping — Configure LDAP Attribute Mapping

9. Map user attributes

Enter a descriptive rule name (e.g., "Example App")

Configure the following attribute mappings:
- E-Mail-Addresses → E-Mail Address
- Given-Name → Given Name
- Surname → Surname
- User-Principal-Name → Name ID
Click 'OK' to complete the mapping and then 'Apply' changes

10. Complete admin portal configuration

Navigate to Identity Provider Configuration in the Admin Portal

Select "Configure Manually"
Enter these required details:
- Microsoft AD FS Identifier: http://<YOUR_AD_FS_SERVER_DOMAIN>/adfs/services/trust
- Login URL: http://<YOUR_AD_FS_SERVER_DOMAIN>/adfs/ls
- Certificate:
  1. Access https://<YOUR_AD_FS_SERVER_DOMAIN>/FederationMetadata/2007-06/FederationMetadata.xml
  2. Locate the text after the first X509Certificate tag
  3. Copy and paste this certificate into the "Certificate" field
Click "Update" to save the configuration

The above endpoints are AD FS endpoints. You can find them listed in AD FS Console > Service > Endpoints > Tokens and Metadata sections

11. Test connection

Click on Test Connection. If everything is done correctly, you will see a Success response as shown below.

If the connection fails, you'll see an error, the reason for the error, and a way to solve that error right on the screen.

12. Enable connection

Click on Enable Connection. This will let all your selected users login to the new application via your AD FS SSO.

1. Choose identity provider​

2. Open AD FS management console​

3. Create relying party trust​

4. Configure federation metadata file​

5. Set display name​

6. Configure access control​

7. Review trust configuration​

8. Create claim rules​

9. Map user attributes​

10. Complete admin portal configuration​

11. Test connection​

12. Enable connection​