Skip to main content
Setup SAML SSO on AD FS
Ian Mitchell avatar
Written by Ian Mitchell
Updated over a week ago

This article goes over how to set up Signal Sign On with AD FS.

Notes:

  • This document is based on the Windows Server 2019 platform

  • AD FS does not support SCIM

Open “AD FS Management”

  • Click to “Start” and search “AD FS” then select “AD FS Management”.

Config SSO

  • On the “AD FS Management” window, right click to “AD FS > Relying Party Trusts” then select “Add Relying Party Trust Wizard”.

  • On the “Add Relying Party Trust Wizard” popup:

    • Choose “Claims aware” then click “Start”.

    • Choose “Enter data about the relying party manually” then click “Next”.

    • Click “Next” until “Configure URL”.

      • Tick “Enable support for the SAML 2.0 WebSSO protocol

      • Fill in the “Rely party SAML 2.0 SSO service URL” with the value “SP Assertion Consumer Service”

      • Click “Next”.

    • Fill in the “Relying party trust identifier” with the value “SP Entity ID”, click “Add” then “Next”.

    • Choose an access control policy then click “Next” until the end.

Mapping Attributes

  • On the “AD FS Management” window, select the Relying Party item that needs to be mapped attributes.

  • Click on “Edit Claim Issuance Policy…

  • On the “Edit Claim Issuance Policy for <Paty_Name>” popup, click to “Add Rule”.

  • On the “Add Transform Claim Rule Wizard” popup:

    • Select “Send LDAP Attributes as Claims” then click “Next”.

    • Fill the “Claim rule name”.

    • Select the Attribute store. (default “Active Directory”)

    • Mapping attributes followed by the below table then click “Finish”.

  • Click on “Add Rule” again to add a new Transform Rule, On the “Add Transform Claim Rule Wizard” popup:

    • Select “Transform an Incoming Claim” then click “Next”.

    • Fill the “Claim rule name”.

    • Select the Incoming claim type: “E-Mail Address

    • Select the Outgoing claim type: “Name ID”.

    • Select the Outgoing name ID format: “Unspecified”.

    • Choose “Pass through all claim values” then click “Finish”.

LDAP Attribute

Outgoing Claim Type

User-Principal-Name

Name ID

E-Mail-Addresses

E-Mail Address

Given-Name

Given Name

Surname

Surname

Federation Metadata

  • You can download the “Federation Metadata” file in the link: <your-adfs-domain>/FederationMetadata/2007-06/FederationMetadata.xml.

  • Important note: After changing any config ADFS, the Federation Metadata file will be changed. So, the user needs to update the Metadata file to SSO Config in Gamma or Federation Metadata public url to ensure the CF will use the latest Federation Metadata file.

Users Management

  • Open the “Active Directory Users and Computers

    • Start > type “Active Directory Users and Computers” > select the “Active Directory Users and Computers” application.

  • Select the domain in the left menu.

  • Select “ADFS” under the domain.

Create/Update User

  • Right click on the “ADFS”.

  • Select “New” > “User” and type the user information.

  • Click “Next”.

  • Type the password and “Next” > “Finish”.

  • Right click on the user and select “Properties” to set the user mail.

Did this answer your question?