Configuring SAML SSO for Active Directory Federation Services (AD FS) using ADSelfService Plus

Configuring SAML SSO for Active Directory Federation Services (AD FS) using ADSelfService Plus

The following guide elaborates on the steps to configure SSO for AD FS with ADSelfService Plus. This enables users to access all AD FS integrated applications by authenticating with ADSelfService Plus.


  1. Fetch the AD FS server federation metadata by pasting the following URL in a browser: https://<adfs_fqdn>/FederationMetadata/2007-06/FederationMetadata.xml

ADSelfService Plus (identity provider) configuration steps

  1. Log in to ADSelfService Plus as an administrator.
  2. Navigate to Configuration → Self-Service → Password Sync/Single Sign On → Add Application → Custom Application.
  3. Enter the Application Name, Description, and Domain Name in the respective fields.
  4. Choose the policy containing the users you wish to provide SSO access to AD FS from the Assign Policies drop-down.
  5. Select the checkbox Enable SSO using SAML.
  6. Set Support SSO flow to SP initiated.
  7. In the Upload Metadata field, upload the file downloaded previously in the prerequisite step.
  8. Under Provider Settings, enter the following information:
    1. Select RSA-SHA256 from the RSA SHA Algorithm drop-down.
    2. Set the SAML Response value to Signed.
    3. Select the option Exclusive Canonicalization from the Canonicalization Method drop-down.
  9. Click Advanced in the top-left corner.
    Create custom Applications
  10. Under the SAML Assertion Attributes Configuration section, create an attribute and enter the following values:
    1. Choose any relevant value for the Value field.
      Advanced Configuration
  11. Click IdP details and select Download IdP Metadata, which will download the metadata file required for later.

    IdP Details

AD FS (service provider) configuration steps:

Step 1: Adding a new claims provider trust

  1. Open the AD FS Management console. Navigate to AD FS → Trust Relationships → Claims Provider Trusts.AD FS Explorer
  2. Click Add Claims Provider Trust in the Actions pane. This will open the Add Claims Provider Trust Wizard. Click Start.

    Add claims ptovider trust wizard

  3. In the Select Data Source section, choose the option Import data about the claims provider from a file and upload the metadata file downloaded in Step 11 of the ADSelfService Plus configuration steps.

    Add claims ptovider trust wizard

  4. In the Specify Display Name section, enter the desired Display name.

    Add claims ptovider trust wizard

  5. Complete the remaining steps in the wizard by retaining the default values for the rest of the fields.

Step 2: Adding claim rules

  1. Once the claims provider trust configuration is complete, the Claims Rule Editor window opens. Click Add Rule.
    Edit claim rules
  2. From the Claim rule template drop-down, select the value Pass Through or Filter an Incoming Claim and click Next.
    Add transform claim rule wizard
  3. In the next window, enter a Claim rule name and set any of the supported claim types as the Incoming claim type. For information regarding the supported claim types, click here. Choose the Pass through all claim values radio button. Click Finish to complete adding the claims rule.
    Add transform claim rule wizard

Step 3: Modify existing relaying party trusts

The existing relaying party trusts need to be modified in order to map the incoming claim to an outgoing claim that will be sent to the relaying party.
  1. Click Relaying Party Trusts under Trust Relationships. Right-click the desired SSO applications from the list and select Edit Claim Rules. Click Add Rule.
    Relying party trusts
    Edit claim rules for Salesforce RP
  2. In the Add Transform Claim Rule Wizard, choose the option Transform an Incoming Claim from the Claim rule template drop-down and click Next.
    Add transform claim rule wizard
  3. Enter “Name ID” in the Claim rule name field and set UPN as the Incoming claim type. Set Name ID as the Outgoing claim type and click OK.
    Edit rule wizard
To enable SSO for all AD FS integrated applications, repeat Step 3 for all the applications configured in AD FS.
You have now completed configuring ADSelfService Plus as the identity provider for AD FS.

                    New to ADSelfService Plus?