ADFS SSO Configuration Guide

SAML Configuration for ADFS

Security Assertion Markup Language (SAML) is a standard for exchanging authentication and authorization data between parties. This guide will help you configure SAML SSO between your application and ADFS.

📥 Download Service Provider Metadata
Click the "Metadata" button in the SSO configuration modal to download your application's SAML metadata file. This file contains all the necessary configuration details for ADFS.

Step 1: Access ADFS Management Console

1 Open ADFS Management Console

On your ADFS server, open the ADFS Management Console from the Start menu or Server Manager.

2 Navigate to Relying Party Trusts

In the ADFS Management Console, expand ADFS → Trust Relationships → Relying Party Trusts

Step 2: Add Relying Party Trust

3 Start Add Relying Party Trust Wizard

Right-click on Relying Party Trusts and select "Add Relying Party Trust"

4 Choose Data Source

Select "Import data about the relying party from a file" and click Next

5 Import Metadata File

Browse to the SAML metadata file you downloaded from your application and click Next

6 Configure Display Name

Enter a display name for your application (e.g., "Your Application Name") and click Next

Step 3: Configure Claim Rules

7 Configure Claims

Select "Configure claims issuance policy for this application" and click Next

8 Add Claim Rules

Click "Add Rule" and select "Send LDAP Attributes as Claims"

9 Configure LDAP Attribute Mapping

Configure the following attribute mappings:

                E-Mail-Addresses → E-Mail Address

                Display-Name → Display Name

                Given-Name → Given Name

                Surname → Surname

                SAM-Account-Name → Name ID

                User-Principal-Name → UPN

Step 4: Configure Advanced Settings

10 Configure Name ID Format

In the relying party trust properties, go to Advanced tab and set:

Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Allow unencrypted Name ID: Checked (if required)

Step 5: Export ADFS Metadata

11 Export Federation Metadata

Right-click on ADFS → Properties → Federation Service tab → Export to download the ADFS metadata file.

12 Note Configuration Values

From the exported metadata, note the following values:

Entity ID: Usually https://adfs.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
Single Sign-On URL: https://adfs.yourdomain.com/adfs/ls/
Single Logout URL: https://adfs.yourdomain.com/adfs/ls/
X.509 Certificate: The certificate from the metadata file

Step 6: Configure Your Application

13 Enter ADFS Configuration

In your application's SSO configuration, enter the following details:

Identity Provider Settings

                Entity ID: https://adfs.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml

                Single Sign-On URL: https://adfs.yourdomain.com/adfs/ls/

                Single Logout URL: https://adfs.yourdomain.com/adfs/ls/

                X.509 Certificate: [Paste the certificate from the metadata file]

Step 7: PowerShell Configuration (Alternative)

14 Using PowerShell

You can also configure ADFS using PowerShell commands:

# Add Relying Party Trust
Add-AdfsRelyingPartyTrust -Name "Your Application" -MetadataUrl "https://yourdomain.com/saml/metadata"

# Add Claim Rules
$claimRules = @'
@RuleName = "LDAP Attributes"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,givenName,sn;{0}", param = c.Value);
'@

Set-AdfsRelyingPartyTrust -TargetName "Your Application" -IssuanceTransformRules $claimRules

Step 8: Test Configuration

15 Test SAML SSO

Test the SAML configuration by attempting to sign in with a domain account.

Important: Ensure that your ADFS server's SSL certificate is valid and trusted by client browsers. Also, make sure that the ADFS service account has the necessary permissions.

OAuth2 Configuration for ADFS

OAuth2 is an authorization framework that enables applications to obtain limited access to user accounts. ADFS 4.0+ supports OAuth2 and OpenID Connect protocols.

Step 1: Configure OAuth2 in ADFS

1 Access ADFS Management Console

Open the ADFS Management Console on your ADFS server.

2 Navigate to Application Groups

Go to ADFS → Application Groups

3 Create Application Group

Right-click on Application Groups and select "Add Application Group"

4 Configure Application Group

Enter the following details:

Name: Your Application OAuth2
Description: OAuth2 configuration for your application

Step 2: Add Native Client Application

5 Add Native Client

In the Application Group, click "Add Application" → "Native client application"

6 Configure Client

Enter the following details:

Name: Your Application Client
Client ID: Generate a unique client ID
Redirect URIs: https://yourdomain.com/oauth/callback

Step 3: Configure Scopes

7 Add Scopes

In the Application Group, click "Add Application" → "Web API" and configure:

Name: Your Application API
Identifier: https://yourdomain.com/api
Scopes: openid, profile, email

Step 4: Configure Claims

8 Add Claim Rules

For the Web API application, add claim rules to issue the following claims:

                Name ID → name

                E-Mail Address → email

                Display Name → profile

                Given Name → given_name

                Surname → family_name

                UPN → upn

Step 5: PowerShell Configuration

9 Using PowerShell

Configure OAuth2 using PowerShell commands:

# Create Application Group
Add-AdfsApplicationGroup -Name "Your Application OAuth2" -Description "OAuth2 configuration"

# Add Native Client
Add-AdfsNativeClientApplication -Name "Your Application Client" -ClientId "your-client-id" -RedirectUri "https://yourdomain.com/oauth/callback"

# Add Web API
Add-AdfsWebApiApplication -Name "Your Application API" -Identifier "https://yourdomain.com/api"

# Add Scopes
Add-AdfsScope -Name "openid" -Description "OpenID Connect scope"
Add-AdfsScope -Name "profile" -Description "Profile scope"
Add-AdfsScope -Name "email" -Description "Email scope"

Step 6: Configure Your Application

10 Enter OAuth2 Configuration

In your application's SSO configuration, enter the following details:

OAuth2 Settings

                Client ID: {your-client-id}

                Client Secret: [Not required for native clients]

                Authorization Endpoint: https://adfs.yourdomain.com/adfs/oauth2/authorize

                Token Endpoint: https://adfs.yourdomain.com/adfs/oauth2/token

                User Info Endpoint: https://adfs.yourdomain.com/adfs/userinfo

                Redirect URI: https://yourdomain.com/oauth/callback

                Scope: openid profile email

Step 7: Test Configuration

11 Test OAuth2 Flow

Test the OAuth2 configuration by attempting to sign in with a domain account.

OAuth2 Benefits with ADFS:

Modern authorization protocol support
Better integration with modern applications
Support for mobile and web applications
Granular scope-based permissions

Troubleshooting

Common SAML Issues

Common OAuth2 Issues

ADFS-Specific Issues

Support

If you encounter any issues during configuration, please contact our support team with the following information: