Configuring SSO with AD FS

the following values are used as examples in this guide ssotest passwork org — server name for ad fs passwork passwork org — server name for passwork ad fs configuration open the ad fs management console and check the settings by clicking on edit federation service properties make sure that the fields on the general tab correspond to the names in the dns record and the name in the certificate the address in the federation service identifier field will also be used when configuring sso saml 2 0 on the passwork side in the ad fs management, open the service → certificates , select the certificate from token signing , and export it in base64 format the contents of this certificate will need to be pasted into the sso settings relying party trust settings in the ad fs management console, click relying party trust and select add relying party trust perform the following steps select claims aware and click start select enter data about the relying party manually and click next enter a display name and click next click next to accept the defaults for the configure certificate select enable support for the saml 2 0 websso protocol , enter the relying party saml 2 0 sso service url — https //passwork passwork org/sso/acs , click next in the relay party trust identifier , enter the https //passwork passwork org/sso/metadata , click add , then click next in the choose access control policy section, click next in the ready to add trust section, click next click close open the properties of your relying party trust select the endpoints tab and click add saml select saml logout as the endpoint type enter https //passwork passwork org/sso/sls in the trusted url click ok , then ok again claim issuance policy settings in the ad fs management console, click relying party trusts and select edit claim issuance policy perform the following steps click add rule and select send ldap attributes as claims in the claim rule template dropdown menu click next choose the ldap attribute from the attribute store that contains the user principal name map it to the upn outgoing claim type create a second rule by choosing transform an incoming claim in the claim rule template dropdown menu select upn as the incoming claim type and name id as the outgoing claim type configuring sso in the passwork server web interface enter the required information and paste the contents of the certificate file you exported earlier into the certificate field adding the sso php file changes the sso behavior to what is required for compatibility with ad fs create a file with the following name \<path to passwork>/app/config/sso php place the following content in the created file \<?php return \[ 'sp' => \[ 'entityid' => "https //passwork passwork org/sso/metadata", 'assertionconsumerservice' => \[ 'url' => "https //passwork passwork org/sso/acs", ], 'singlelogoutservice' => \[ 'url' => "https //passwork passwork org/sso/sls", ], 'nameidformat' => 'urn\ oasis\ names\ tc\ saml 2 0\ nameid format\ transient', ], ]; the installation is complete you may need to restart the server or the ad fs service to avoid errors related to certificates, you can use the following powershell commands set adfsrelyingpartytrust targetname "\<relying party name>" signingcertificaterevocationcheck "none" set adfsrelyingpartytrust targetname "\<relying party name>" encryptioncertificaterevocationcheck "none"