# Microsoft AD FS - SAML

This guide walks you through configuring Single Sign-On (SSO) with Microsoft Active Directory Federation Services (AD FS) as your Identity Provider.

####  Before you begin

To successfully set up AD FS SAML integration, you'll need:

- Elevated access to your AD FS Management Console
- Access to the Admin Portal of the application you're integrating Microsoft AD FS with
**Tip:** Having these prerequisites ready before starting will make the configuration process smoother

## Configuration steps

1. #### Begin the configuration

   Choose Microsoft AD FS as your identity provider

   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/-1-1.png)

   Download Metadata XML file so that you can configure AD FS Server going forward

   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/-1.png)

2. #### Open AD FS Management Console
   - Launch Server Manager
   - Click 'Tools' in the top menu
   - Select 'AD FS Management'

3. #### Create a Relying Party Trust
   - In the left navigation pane, expand 'Trust Relationships'
   - Right-click 'Relying Party Trusts'
   - Select 'Add Relying Party Trust'
   - Click 'Start' to begin the configuration

   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/0-1.png)

4. #### Configure Trust Settings
   - Select 'Claims aware' as the trust type
   - Choose 'Import data about the relying party from a file'
   - Click 'Next' to proceed

   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/2.png)

   Import the Metadata XML file that you downloaded earlier
**Note:** You can configure the relying party trust using either of these methods:
     - Enter the Metadata URL directly (if network access allows)

5. #### Set Display Name
   - Enter a descriptive name for your application (e.g., "ExampleApp")
   - Click 'Next' to continue

   ![Set display name step in the AD FS relying party trust wizard](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/16.png)

6. #### Configure Access Control
   - Select an appropriate access control policy
   - For purposes of this guide, select 'Permit everyone'
   - Click 'Next' to proceed

7. #### Review Trust Configuration
   - Verify the following settings:
     - Monitoring configuration
     - Endpoints
     - Encryption settings
   - Click 'Next' to continue

   ![Review trust configuration screen in the AD FS wizard](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/17.png)

   The wizard will complete with the 'Configure claims issuance policy for this application' option automatically selected

   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/6.png)

8. #### Create claim rule
   Navigate to 'Relying Party Trusts' and select recently created app. Then click on 'Edit Claim Issuance Policy' from right nav bar.
   ![Edit claim issuance policy option for the new relying party trust in AD FS](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/15.png)

   Click 'Add Rule' to create a new claim rule
   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/7.png)
   
   Select 'Send LDAP Attributes as Claims' template
   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/8.png)

9. #### Map User Attributes
   - Enter a descriptive rule name (e.g., "Example App")
   - Configure the following attribute mappings:
     - `E-Mail-Addresses` → E-Mail Address
     - `Given-Name` → Given Name
     - `Surname` → Surname
     - `User-Principal-Name` → Name ID
   - Click 'Finish' to complete the mapping

   ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/9.png)

10. #### Complete Admin Portal Configuration
   - Navigate to Identity Provider Configuration in the Admin Portal
    - Select "Configure Manually"
    - The above endpoints are AD FS endpoints. You can find them listed in AD FS Console > Service > Endpoints > Tokens and Metadata sections. Enter these required details:
      - Microsoft AD FS Identifier: `http://<your-adfs-server-domain>/adfs/services/trust`
      - Login URL: `http://<your-adfs-server-domain>/adfs/ls`
      - Certificate:
1. Access <a href="https://<your-adfs-server-domain>/FederationMetadata/2007-06/FederationMetadata.xml" target="_blank">Federation Metadata URL</a>
2. Locate the text after the first `X509Certificate` tag
3. Copy and paste this certificate into the "Certificate" field
   - Click "Update" to save the configuration

    ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/12-1.png)

11. #### Test the Integration
   - In the Admin Portal, click "Test Connection"
    - You will be redirected to the AD FS login page
    - Enter your AD FS credentials
    - Verify successful redirection back to the Admin Portal with the correct user attributes

    ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/13.png)

12. #### Enable Connection
   - Click on **Enable Connection**
    - This will let all your selected users login to the new application via your AD FS SSO

    ![](@/assets/docs/guides/sso-integrations/microsoft-ad-fs/14.png)