Setting up SAML 2.0 SSO with ADFS

This article will provide help in setting up SSO using ADFS ​

Tamás Párványik avatar
Written by Tamás Párványik
Updated over a week ago


Configuring Relying Party Trust

On your Windows Server open AD FS Management then click Add Relying Party Trust from the Actions menu:

In the dialog, that appears select Claims aware and click Start then on the next screen select Enter data about the relying party manually, click Next, enter StoriesOnBoard or any descriptive name in the Display name field, then click Next again twice, so you can skip the following Configure certificate step.

Open StoiresOnBoard and go to the approved and verified domain configuration dialog, select the SP MetaData tab and copy the value of the Login URL (ACS) field.

Back to ADFS, in the Configure URL step select the option Enable support for the SAML 2.0 WebSSO protocol and paste the copied ACS URL to the Relying party SAML 2.0 SSO service URL field, then click Next.

In StoriesOnBoard copy the value of the EntityID field on the SP MetaData tab, and paste it to the Relying party trust identifier field in ADFS, click Add then click Next.

In the Choose Access Control Policy step select Permit everyone if you want every user in your Active Directory to be able to access StoriesOnBoard or select one of the other options if you want to customize access to the application. Skip the next step, then on the final screen leave the Configure claims issuance policy for this appilication checked and click Close.

Setting up claims

After the wizard closes the Edit Claim Issuance Policy dialog appears. Click Add Rule, select Send LDAP Attributes as Claims for Claim rule template, then click Next.

  1. Select E-Mail-Addresses for LDAP Attribute and E-Mail Address for Outgoing Claim Type

  2. Select Active Directory for Attribute store

  3. For Claim rule name enter Email address or any descriptive name

  4. Click Finish to create the rule

You can see the new Email address rule in the Edit Claim Issuance Policy dialog. Click Add Rule again to set up another rule.

Select Transform an Incoming Claim for Claim rule template, and click Next and set the following values:

  • Incoming claim type: E-Mail Address

  • Outgoing claim type: Name ID

  • Outgoing name ID format: Email

  • Claim rule name: NameID or any descriptive name

  • Leave the Pass through all claim values option selected

Click Finish to add the rule.

Set up another rule by clicking Add Rule again in the Edit Claim Issuance Policy dialog. The Claim rule template should be Send LDAP Attributes as Claims, click Next and set the following values:

  1. Add two attributes to the Mapping of LDAP attributes to outgoing claim types

  2. Select Given-Name for LDAP Attribute and Given Name for Outgoing Claim Type

  3. Select Surname for both LDAP Attribute and Outgoing Claim Type

  4. Select Active Directory for Attribute store

  5. Enter Name or any descriptive name for Claim rule name

Click Finish to add the rule then click OK on the Edit Claim Issuance Policy dialog.

Configuring StoriesOnBoard

First, you will need the identity provider metadata from ADFS. Open a browser on the ADFS server, enter the address: https://localhost/FederationMetadata/2007-06/FederationMetadata.xml then press enter. This will download a file named FederationMetadata.xml. Open this file in a text editor and copy its contents to the clipboard.

In StoriesOnBoard on the approved and verified domain configuration dialog select the SSO Settings tab

  • Select the Enable SAML 2.0 Single Sign On checkbox

  • Leave the Optional setting selected for now. Later, if you test the settings and want your user to be able to log in to StoriesOnBoard via SSO only, you can change this setting to Required.

  • Paste the copied FederationMetadata.xml contents to the Identity Provider Metadata field

  • For the First name attribute enter the following value:
  • For the Last name attribute enter the following value:
  • Click Save

Test your settings

You will need a user in your Active Directory with their email address from the domain you have set up SSO within StoriesOnBoard.
Visit in an other browser or in an incognito window, and enter the user’s email address in the Email field. When you leave the field a new button will appear with the caption Login with corporate account. Click on the button and you will be taken to your ADFS web login page. Enter the user’s credentials and if everything is set up correctly, the user will be logged into StoriesOnBoard (not existing StoriesOnBoard users will be created).

💡 Tip - Learn more:

Did this answer your question?