Connect AD FS SAML
Learn how to configure a connection to Microsoft Active Directory Federation Services (AD FS)
Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.
To create an AD FS SAML Connection, you'll need three pieces of information: an SP Metadata file, a Token Signature (X.509 Certificate), and an IdP SSO URL.
1Configure a Relying Party Trust
Open the AD FS Management console.
Click “Relying Party Trusts” on the left sidebar.
Open the “AD FS Relying Party Trust Wizard” by clicking “Add Relying Party Trust...” on the right sidebar.
Select “Claims aware” and then “Start”.
Download the provided Metadata file from WorkOS.
Select “Import data about the relying party from a file,” then select the SP Metadata file you downloaded, then click “Next”.
Select “Permit everyone” and then “Next”.
2Choose Access Policy
Click the “Endpoints” tab and confirm that the “SAML Assertion Consumer Endpoints” matches the URL below and click “Next”.
Confirm this URL matches the SAML Assertion Consumer Endpoint
Select “Configure claims issuance policy for this application” and “Close”.
3Configure Claims Issuance Policy
Click “Add Rule” in the “Edit Claims Issuance Policy” window.
Select “Send LDAP Attributes as Claims” and then “Next”.
Submit “Attributes” as “Claim rule name:”
Select “Active Directory” as “Attribute Store”
Configure the following Attribute mappings:
4Upload Token Signing Certificate
Click on Service > Certificates and select the “Token-signing” certificate and “View Certificate” in the right side bar.
Click the “Details” tab and then click “Copy to File” in the Certificate window.
Select “No, do not export the private key” then “Next”.
Select “Base-64 encoded X.509 (.CER)” then “Next”.
Specify a file name and finish exporting the public certificate.
5Provide SAML 2.0 Endpoints
Select "Services > Endpoints" and locate the “SAML 2.0/WS-Federation” Endpoint.
Provide the IdP SSO URL. This URL is located at the SAML 2.0/WS-Federation Endpoint. For example:
And your configuration is complete! Check out a demo of how quick and easy it is to integrate AD FS SSO into your application after configuring your Connection.