Step 1: ADFS Server Setup
1. Ensure ADFS is installed and configured on your Windows Server
2. Open ADFS Management Console
3. Navigate to "ADFS" > "Trust Relationships" > "Relying Party Trusts"
4. Click "Add Relying Party Trust" in the right panel
Step 2: Create Relying Party Trust
1. In the "Add Relying Party Trust Wizard", click "Start"
2. Select "Enter data about the relying party manually" and click "Next"
3. Enter the following details:
Display name: Your Domain SSO App
Notes: Custom SAML application for domain SSO
4. Click "Next"
Step 3: Configure Certificate
1. Select "Create a self-signed certificate for token signing"
2. Click "Next"
3. In the "Configure URL" step, check "Enable support for the SAML 2.0 WebSSO protocol"
4. Enter the following URL:
Relying party SAML 2.0 SSO service URL: https://yourdomain.com/api/sso/acs
5. Click "Next"
Step 4: Configure Identifiers
1. In the "Configure Identifiers" step, click "Add"
2. Enter the following identifier:
Relying party identifier: https://yourdomain.com/api
3. Click "OK" and then "Next"
Step 5: Configure Claims Rules
1. In the "Configure Claims Rules" step, click "Next"
2. Click "Add Rule"
3. Select "Send LDAP Attributes as Claims" and click "Next"
4. Configure the following attribute mappings:
E-Mail-Addresses: E-Mail Address
Given-Name: Given Name
Surname: Surname
5. Click "Finish" and then "Next"
Step 6: Complete Configuration
1. Review the summary and click "Next"
2. Check "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes"
3. Click "Close"
Step 7: PowerShell Configuration (Alternative)
You can also use PowerShell to create the relying party trust:
Add-AdfsRelyingPartyTrust -Name "Your Domain SSO App" `
-Identifier "https://yourdomain.com/api" `
-SAMLResponseSignature "MessageAndAssertion" `
-SignatureAlgorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" `
-TokenLifetime 0 `
-EncryptClaims $False `
-WSFedEndpoint $null `
-SAMLResponseSignature $null `
-SigningCertificateRevocationCheck "None" `
-EncryptionCertificateRevocationCheck "None" `
-RequestSigningCertificateRevocationCheck "None" `
-EncryptNameId $False `
-NameIdFormat "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Step 8: Download Federation Metadata
1. In ADFS Management Console, right-click on your relying party trust
2. Select "Properties"
3. Go to the "Endpoints" tab
4. Note the following URLs:
ADFS Federation Metadata URL: https://[your-adfs-server]/FederationMetadata/2007-06/FederationMetadata.xml
Replace [your-adfs-server] with your ADFS server hostname (e.g., adfs.yourcompany.com)
Single Sign-On URL: https://[your-adfs-server]/adfs/ls
Replace [your-adfs-server] with your ADFS server hostname
Configuration Summary
Once you have completed all steps, enter the following information in your SSO configuration:
- Provider: ADFS
- Protocol: SAML
- Entity ID: https://yourdomain.com/api
- Single Sign-On URL: [From ADFS Federation Metadata]
- X.509 Certificate: [From ADFS Federation Metadata]
Note: Replace "yourdomain.com" with your actual domain name throughout this guide.
The placeholders above will be automatically replaced with your actual domain when you view this guide in the application.
Step 1: ADFS Application Registration
1. Open ADFS Management Console
2. Navigate to "ADFS" > "Application Groups"
3. Right-click and select "Create Application Group"
4. Choose "Server application accessing a web API" and click "Next"
Step 2: Configure Client Application
1. Enter the following details for your client application:
Name: Your Domain OAuth2 App
Client ID: [Auto-generated]
Redirect URI: https://yourdomain.com/api/sso/oauth2/callback
2. Click "Next"
Step 3: Configure Web API
1. Enter the following details for your web API:
Name: Your Domain API
Identifier: https://yourdomain.com/api
2. Click "Next"
Step 4: Configure Scopes
1. Add the following scopes:
OpenID Connect: openid
Profile: profile
Email: email
2. Click "Next"
Step 5: Configure Claims
1. Add the following claim rules:
Name ID: E-Mail Address
Given Name: Given Name
Surname: Surname
2. Click "Next" and then "Close"
Step 6: PowerShell Configuration (Alternative)
You can also use PowerShell to create the OAuth2 application:
Add-AdfsClient -Name "Your Domain OAuth2 App" `
-ClientId "your-client-id" `
-RedirectUri "https://yourdomain.com/api/sso/oauth2/callback" `
-ClientType "Confidential" `
-GrantTypes "AuthorizationCode" `
-Scopes "openid", "profile", "email"
Configuration Summary
Once you have completed all steps, enter the following information in your SSO configuration:
- Provider: ADFS
- Protocol: OAuth2
- Client ID: [From ADFS Application Registration]
- Client Secret: [From ADFS Application Registration]
- Authorization Endpoint: https://[your-adfs-server]/oauth2/authorize
- Token Endpoint: https://[your-adfs-server]/oauth2/token
- User Info Endpoint: https://[your-adfs-server]/oauth2/userinfo
- Redirect URI: https://yourdomain.com/api/sso/oauth2/callback
Note: Replace "yourdomain.com" with your actual domain name and "[your-adfs-server]" with your ADFS server hostname throughout this guide.
The placeholders above will be automatically replaced with your actual domain when you view this guide in the application.