SSO: ADFS

This article describes how to configure ADFS as your workplace's single sign-on identity provider (IdP). This process involves making modifications to ADFS as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their ADFS credentials.

To follow this process, you must be able an ADFS administrator and be a workplace administrator in your digital workplace.

Sections in this article:

Configuring ADFS single sign-on

Enable Forms Authentication in ADFS

Forms Authentication must be enabled within ADFS for it to generate a SAML assertion to your digital workplace. For more information about Forms Authentication, Configure the AD FS server for claims-based authentication (Microsoft).

  1. Log on to the ADFS server with administrator credentials.
  2. Open the ADFS management console and select Authentication Policies.

    The Authentication Policies window.

  3. On the Authentication Policies Overview page, select Edit.

    The edit button.

  4. Under Intranet, ensure that Forms Authentication is selected. Select it if it isn't.

    The Forms Authentication option.

Create a Relying Party Trust in ADFS

A Relying Party Trust is required to allow ADFS to identify your workplace as a resource partner organization. For more information, see Create a Relying Party Trust (Microsoft).

  1. On the Select Data Source page in ADFS, select the option Enter data about the relying party manually.

    The Enter date about the relying party manually option.

  2. On the Specify Display Name page, enter the workplace URL as the Display Name.

    The display name.

  3. On the Choose Profile page, select the ADFS Version to use. If you are using Windows 2003 or older select ADFS 1.0 and 1.1, otherwise use the default which is ADFS profile.

    The profile page options.

  4. On the Configure Certificate page, select next. The assertion must be unencrypted.
  5. On the Configure URL page, select Enable support for the SAML 2.0 WebSSO. If there is no check in the box next to Enable support for the SAML 2.0 WebSSO it has not been enabled. Select the box to enable this setting.

    The Enable support for the SAML 2.0 WebSSO protocol option.

  6. Still on the Configure URL page, enter your workplace's SAML endpoint URL in the text field Relying party SAML 2.0 SSO service URL. This will take the form: http://{your workplace URL}/saml.digest.

    The service URL field.

  7. On the Configure Identifiers page, enter your workplace's SAML endpoint URL as the Relying party trust identifier. This will always take the form: http://{your workplace URL}/saml.digest.

    The party trust identifier field.

  8. On the Choose Issuance Authorization Rules page, select Permit all users to access the relying party.

    The Permit all users to access the relying party option.

  9. Review the settings, and select Finish. Selecting finish will automatically open the claim rules area. This is typically the next step of setting up ADFS as your Identity Provider.

Create Claim Rules in ADFS

Claim Rules control what information is passed in the SAML assertion to your workplace. These must pass name, last name, email and nameID values. For more information, see Configure the AD FS server for claims-based authentication (Microsoft)

  1. Select the Edit Claim Rules option found in ADFS, and then click Add Rule.

    The Add Rule button.

  2. Select the rule template Send LDAP Attributes as Claims.

    The claim rule template selector.

  3. Give the rule a name.

    The claim rule name field.

  4. Select the Active Directory (AD) as the attribute store.

    The attribute store selector.

  5. Map AD attributes to outgoing claims. The LDAP attribute dropdown will allow the selection of specific attributes within the AD, map them to the outgoing claim. For optimal results, provide the following mappings:
    • Given-Name to FName
    • Surname to LName
    • Email Addresses to Email
    • Email Addresses to NameID
  6. Select Finish to create these claims.

Where to find Signing Token / X.509 Certificate

A connection requires an ADFS token-signing certificate that's passed in the assertion. This certificate is also referred to as the X.509 Certificate. To find this certificate within ADFS, navigate to Service and select Certificates. Download the Token-signing certificate and open it in a text editor to view it. For more information, see ADFS Certificates - SSL, Token Signing, and Client Authentication Certs (Microsoft).

The list of certificates.

Configuring your digital workplace's single sign-on

  1. Go to your digital workplace and sign in.
  2. Select  Control Panel.
  3. Under Membership, select Sign In Settings.
  4. Select Configure SAML Authentication.
  5. Configure the settings as described in the Configuration settings table below.
  6. Select Save.
Setting Description
Connection Name Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button.
IdP Login URL

Enter the IdP Login URL associated with your ADFS configuration.

This will typically look like this:

https://servername.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx
IdP Logout URL

Enter the IdP Logout URL associated with your ADFS configuration.

This will typically look like this:

https://servername.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx/?wa=wsignout1.0
Logout Response and Request HTTP Type Select Basic.
Logout Final Redirect URL Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. 
Binding Type

Select POST.

Public Certificate

Copy and paste the X.509 Certificate from your your ADFS configuration. You may need to open the certificate file using a text editor.

Identity Provider

Select Microsoft ADFS.

If you are using ADFS 4.0, select Other.

Identifier Type

Select Email Address.

Identifier Path

Only available if Identify Provider is Other.

Enter /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="NameID"]/saml:AttributeValue.

Session Index Path

Only available if Identify Provider is Other.

Enter /samlp:Response/saml:Assertion/saml:AuthnStatement.

Email Path/Attribute

Enter /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="Email"]/saml:AttributeValue.

This assumes you created the claim rules as described above in Configuring ADFS single sign-on.

First Name Path/Attribute

Enter /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="FName"]/saml:AttributeValue.

This assumes you created the claim rules as described above in Configuring ADFS single sign-on.

Last Name Path/Attribute

Enter /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="LName"]/saml:AttributeValue.

This assumes you created the claim rules as described above in Configuring ADFS single sign-on.

Drift Time

Enter 5.

User creation on Sign in

Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace.

Options include:

  • Create a new user in your site when they sign in (Users will be added to manage members on sign in)
  • Do not create new users when they sign in (Users not in manage members will be denied access)

When creating new users in your digital workplace this way, they will be created with the following details:

  • First Name (from First Name Path)
  • Last Name (from Last Name Path)
  • Email Address (from Email Path) 
  • CustomIdentifier (from Identifier Path if the Identifier Type is Custom Identifier) 
  • Membership to the All Members group.

If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.).

If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.

Sign in Settings

Select how users sign in to your workplace.

Options include:

  • Use SAML button on "Sign in" screen
  • Redirect all users to IdP

For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.

Configuration settings

Additional Resources