---
title: "Configure SSO with Active Directory Federation Service (AD FS)"
slug: "configure-sso-with-active-directory-federation-service-ad-fs"
updated: 2024-03-06T13:39:14Z
published: 2024-03-06T13:39:14Z
---
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safe.security/llms.txt
> Use this file to discover all available pages before exploring further.
# Configure SSO with Active Directory Federation Service (AD FS)
## About this document
---
This document provides a step-by-step procedure to configure SSO in SAFE with Active Directory Federation Service 2.0 (AD FS 2.0).
## Introduction
---
Single Sign-On (SSO) enables organizations to use the SAML 2.0 authentication provider to authenticate SAFE login.
InfoSAFE supports SSO based on SAML 2.0 and can integrate with Active Directory through **Active Directory Federation Service 2.0 (AD FS 2.0).**
## Prerequisites
---
To configure the AD FS in SAFE for your organization, you require the following:
1. An existing **AD FS 2.0** is installed and running.
2. A **Pool ID** and a **SAML Service endpoint URL**provided by SAFE.
1. **Pool ID**: Use the correct Entity ID for [your regional instance](https://docs.safe.security/safe-4/docs/en/generic-sso-parameters?highlight=SAFE%20Specific%20SSO%20Parameters).
2. **SAML** **Link**: Use the correct Reply URL for [your regional instance](https://docs.safe.security/safe-4/docs/en/generic-sso-parameters?highlight=SAFE%20Specific%20SSO%20Parameters).
## Configure SSO with Active Directory Federation Service (AD FS)
---
The configuration involves mainly the following three steps:
1. Add a claims-aware relying party trust in AD FS
2. Configure claims issuance policy
3. Verify Configuration
### 1. Add a claims-aware relying party trust in AD FS
1. On Server Manager, click the **Tools** option available at the top-right corner of the page and then click the **AD FS Management**. The system displays the AD FS Window.
2. Click **Add Relying Party Trust** from the Actions Pane. The system opens up the Add Relying Party Trust Wizard.
3. On the Welcome page, select the **Claims****aware** option and then click the **Start**button.
4. On the Select Data Source page, select the **Enter data about the relying party manually**, and then click the **Next**button.
5. On the next screen, enter the **Display Name**and****click**Next**. Optionally you can enter a description in the **Notes** field.
6. On the Configure Certificate page, click **Next**.
7. On the Configure URL page, choose to **Enable support for the SAML 2.0 WebSSO protocol**.
8. Under **Relying party SAML 2.0 SSO service URL**, type the [Reply URL for your regional instance](https://docs.safe.security/safe-4/docs/en/generic-sso-parameters?highlight=SAFE%20Specific%20SSO%20Parameters) and then click **Next**.
9. Prepare the URN for your Relying party trust identifier, by replacing yourSAFEPoolID in the following with the [Entity ID for your regional instance](https://docs.safe.security/safe-4/docs/en/generic-sso-parameters?highlight=SAFE%20Specific%20SSO%20Parameters).
10. On the Configure Identifiers page, for Relying party trust identifier, enter the prepared URN and click **Add,**and****then****click **Next**.
11. On the Choose Access Control Policy, select a suitable policy and click **Next**.
12. On the Ready to Add Trust page, review the settings, and then click **Next** to save your relying party trust information.
13. On the Finish page, ensure the option Configure claims issuance policy for this application is selected, then click **Close**. This opens the **Edit Claim Issuance Policy** window.
### 2. Configure claims issuance policy
1. On the Edit Claim Issuance Policy, click **Add Rule**.
2. On the Select Rule Template page, select **Send LDAP Attributes as Claims** from the list, and then click **Next**.
3. On the Configure Rule page, under the **Claim rule name**, type a name for this rule.
4. For the Attribute store, choose **Active Directory** from the list.
5. Under the section for Mapping of LDAP attributes to outgoing claim types, choose **E-Mail-Addresses** for both LDAP Attribute and Outgoing claim types.
6. You can also choose to configure the optional attributes for the user here based on the below table.
7. Click the **Finish** button.
8. In the **Edit Claim Issuance Policy** window, click **OK** to save the rule.
| Safe Attribute | LDAP Attribute | Outgoing Claim Type |
| --- | --- | --- |
| First Name | Given Name | Given Name |
| Last Name | Surname | Surname |
NoteIt is not mandatory to configure the following attributes since they do not affect SAFE integration with AD FS. However, if they are configured, they will be synced with the respective fields for the onboarded users in SAFE, and SAFE Admin does not have to separately update these fields in SAFE whenever there’s an update in the Active Directory.
### 3. Verify Configuration
1. Enter the below URL in your browser, replacing your domain with the appropriate domain name of the AD FS Server.
https://yourDomain/federationmetadata/2007-06/federationmetadata.xml
2. If you're prompted to download the file federationmetadata.xml, everything is configured correctly.
3. Now provide both the federationmetadata.xml file and the URL to SAFE to proceed with the integration.
## User Login Flow
---
The entire process of login for a user configured in Active Directory is summarised in the below diagram.
Once the configuration is completed, you can log in to SAFE as follows:
1. Visit the URL of your SAFE instance, enter the email address of a user configured in the Active Directory.
2. Click **Next**. You will now be redirected to the IdP Login Page of AD FS.
3. Enter your **email address** and the **password** configured in the Active Directory.
4. Click the **Sign In** button. You will be redirected to the SAFE Dashboard.