Microsoft AD FS - SAML

This guide walks you through configuring Single Sign-On (SSO) with Microsoft Active Directory Federation Services (AD FS) as your Identity Provider.

Before you begin

To successfully set up AD FS SAML integration, you’ll need:

• Elevated access to your AD FS Management Console
• Access to the Admin Portal of the application you’re integrating Microsoft AD FS with

Tip

Having these prerequisites ready before starting will make the configuration process smoother

Configuration steps

1. Begin the configuration

   Choose Microsoft AD FS as your identity provider

   

   Download Metadata XML file so that you can configure AD FS Server going forward

   

2. Open AD FS Management Console

   • Launch Server Manager
   • Click ‘Tools’ in the top menu
   • Select ‘AD FS Management’

3. Create a Relying Party Trust

   • In the left navigation pane, expand ‘Trust Relationships’
   • Right-click ‘Relying Party Trusts’
   • Select ‘Add Relying Party Trust’
   • Click ‘Start’ to begin the configuration

   

4. Configure Trust Settings

   • Select ‘Claims aware’ as the trust type
   • Choose ‘Import data about the relying party from a file’
   • Click ‘Next’ to proceed

   

   Import the Metadata XML file that you downloaded earlier

   Note

   You can configure the relying party trust using either of these methods:

   • Enter the Metadata URL directly (if network access allows)

5. Set Display Name

   • Enter a descriptive name for your application (e.g., “ExampleApp”)
   • Click ‘Next’ to continue

   

6. Configure Access Control

   • Select an appropriate access control policy
   • For purposes of this guide, select ‘Permit everyone’
   • Click ‘Next’ to proceed

7. Review Trust Configuration

   • Verify the following settings:
     • Monitoring configuration
     • Endpoints
     • Encryption settings
   • Click ‘Next’ to continue

   

   The wizard will complete with the ‘Configure claims issuance policy for this application’ option automatically selected

   

8. Create claim rule

   Navigate to ‘Relying Party Trusts’ and select recently created app. Then click on ‘Edit Claim Issuance Policy’ from right nav bar.

   Click ‘Add Rule’ to create a new claim rule

   Select ‘Send LDAP Attributes as Claims’ template

9. Map User Attributes

   • Enter a descriptive rule name (e.g., “Example App”)
   • Configure the following attribute mappings:
     • E-Mail-Addresses → E-Mail Address
     • Given-Name → Given Name
     • Surname → Surname
     • User-Principal-Name → Name ID
   • Click ‘Finish’ to complete the mapping

   

10. Complete Admin Portal Configuration

    • Navigate to Identity Provider Configuration in the Admin Portal
    • Select “Configure Manually”
    • The above endpoints are AD FS endpoints. You can find them listed in AD FS Console > Service > Endpoints > Tokens and Metadata sections. Enter these required details:
      • Microsoft AD FS Identifier: http://<your-adfs-server-domain>/adfs/services/trust
      • Login URL: http://<your-adfs-server-domain>/adfs/ls
      • Certificate:
        1. Access Federation Metadata URL
        2. Locate the text after the first X509Certificate tag
        3. Copy and paste this certificate into the “Certificate” field
    • Click “Update” to save the configuration

    

11. Test the Integration

    • In the Admin Portal, click “Test Connection”
    • You will be redirected to the AD FS login page
    • Enter your AD FS credentials
    • Verify successful redirection back to the Admin Portal with the correct user attributes

    

12. Enable Connection

    • Click on Enable Connection
    • This will let all your selected users login to the new application via your AD FS SSO