Administration
SSO settings
Configuring SSO with AD FS
13 min
before configuring sso, make sure that in config env the app url parameter matches the current passwork domain, example — app url=https //passwork example com the following server names are used for the example provider (idp) — ad fs passwork local passwork server (sp) — passwork example com adding the trust relationship of the verifying party open — server manager → tools → ad fs management → relaying party trusts → actions perform the steps in — welcome to the add relaying party trust wizard claim aware ; enter data about the relaying party manually ; fill in the display name (example passwork sp ); skip the step — configure certificate , click next ; in the configure url step enable support for the saml 2 0 websso protocol ; copy from passwork to — settings and users → sso settings → reply url ; put in relaying party saml 2 0 sso service url — https //passwork example com/api/v1/sso/acs in the configure identifiers step copy from passwork to — settings and users → sso settings → identifier (entity id) ; put in relaying party trust identifier — https //passwork example com/api/v1/sso/metadata skip the step — choose access control policy , click next ; skip the setp — ready to add trust , click next ; example of the output of the created trust in powershell powershell get adfsrelyingpartytrust name "passwork sp" # command for output allowedauthenticationclassreferences {} encryptioncertificaterevocationcheck checkchainexcluderoot publishedthroughproxy false signingcertificaterevocationcheck checkchainexcluderoot wsfedendpoint additionalwsfedendpoint {} claimsprovidername {} claimsaccepted {} encryptclaims true enabled true encryptioncertificate identifier {https //passwork example com/api/v1/sso/metadata} notbeforeskew 0 enablejwt false alwaysrequireauthentication false notes organizationinfo objectidentifier 03363cb7 5eef ef11 b8b3 000c2993a976 proxyendpointmappings {} proxytrustedendpoints {} protocolprofile wsfed saml requestsigningcertificate {} encryptednameidrequired false signedsamlrequestsrequired false samlendpoints {microsoft identityserver management resources samlendpoint} samlresponsesignature assertiononly signaturealgorithm http //www w3 org/2001/04/xmldsig more#rsa sha256 tokenlifetime 0 allowedclienttypes public, confidential issueoauthrefreshtokensto alldevices refreshtokenprotectionenabled true requestmfafromclaimsproviders false scopegroupid scopegroupidentifier deviceauthenticationmethod name passwork sp autoupdateenabled false monitoringenabled false metadataurl conflictwithpublishedpolicy false issuanceauthorizationrules issuancetransformrules delegationauthorizationrules lastpublishedpolicychecksuccessful lastupdatetime 01 01 1900 5 00 00 lastmonitoredtime 01 01 1900 5 00 00 impersonationauthorizationrules additionalauthenticationrules accesscontrolpolicyname permit everyone accesscontrolpolicyparameters resultantpolicy requirefreshauthentication\ false issuanceauthorizationrules { permit everyone } get adfsrelyingpartytrust name "passwork sp" | select object expandproperty samlendpoints # command for output binding post bindinguri urn\ oasis\ names\ tc\ saml 2 0\ bindings\ http post index 0 isdefault false location https //passwork example com/api/v1/sso/acs protocol samlassertionconsumer responselocation open the properties of the created relaying party tusts in properties , go to endpoints and perform the following actions add saml ; endpoint type — saml logout ; binding — redirect ; copy from passwork to — settings and users → sso settings → logout url ; put in trusted url — https //passwork example com/api/v1/sso/sls apply the changes and close properties configuring rules for processing requests from sp (passwork) in idp (ad fs) depending on the kind of user login you want in passwork, you can customize the processing rules so that the user format can be as follows username username\@passwork local please select the desired user login format in passwork and customize in the relaying party trusts , stand on the created trust ( passwork sp ) and open — edit claim issuance policy configuring processing rules for username\@passwork local format perform the following steps add rule ; send ldap attributes as claims ; claim rule name — attributestatement ; attribute store — active directory ; ldap attribute — user principal name ; outgoing claim type — upn perform the following steps add rule ; transform an incoming claim ; claim rule name — name id format ; incoming claim type — upn ; outgoing claim type — name id ; outgoing name id format — transient identifier configuring processing rules for username format perform the following steps add rule ; send ldap attributes as claims ; claim rule name — attributestatement ; attribute store — active directory ; ldap attribute — sam account name ; outgoing claim type — e mail address perform the following steps add rule ; transform an incoming claim ; claim rule name — name id format ; incoming claim type — e mail address ; outgoing claim type — name id ; outgoing name id format — transient identifier configuring rules for processing additional attributes to be transferred to sp edit the created rule named attributestatement pass the display name attribute to the sp (passwork) ldap attribute — display name ; outgoing claim type — write displayname pass the e mail addresses attribute to the sp (passwork) ldap attribute — e mail addresses ; outgoind claim type — write emailaddress configuring and completing single sign on (sso) settings in passwork filling in values user attributes authenticate in the passwork web interface, go to — settings and users → sso settings and fill in the mapping attributes attribute for email — emailaddress ; attribute for full name — displayname ; filling in values identity provider → passwork open ad fs management → stand on the ad fs directory → edit federation service properties copy address — federation service identifier → http //ad fs passwork local/adfs/services/trust open — settings and users → sso settings and fill in the values identifier (entity id) — http //ad fs passwork local/adfs/services/trust reply url — https //ad fs passwork local/adfs/ls logout url — https //ad fs passwork local/adfs/ls/?wa=wsignout1 0 filling in value certificate open and export the generated ssl certificate in base64 format — ad fs management → service → certificates → token signing open the exported ssl certificate using notepad , copy and place it in the appropriate field — settings and users → sso settings filling in value advanced settings put the following content in json format json { 	"sp" { 	 "entityid" "https //passwork example com/api/v1/sso/metadata", 	 "assertionconsumerservice" { 	 "url" "https //passwork example com/api/v1/sso/acs" 	 }, 	 "singlelogoutservice" { 	 "url" "https //passwork example com/api/v1/sso/sls" 	 }, 	 "nameidformat" "urn\ oasis\ names\ tc\ saml 2 0\ nameid format\ transient" 	} } replace the passwork example com domain in the urls with the domain of your passwork server open the authentication window in the passwork web interface and log in via sso to verify the correct configuration
Updated 05 May 2025
Did this page help you?