Skip to main content
Browse Documentation

Configure your AD FS server

Created by j.moore, last updated 01 May 2020

This article outlines the process of configuring your AD FS services on your Windows server to add the necessary trusts and claims for Contensis to integrate with your organisations single sign-on service.

Add the relying party trusts

  1. Open the AD FS Management console, click Add Relying Party Trust in the Actions pane and press Start on the wizard introduction page.
The AD FS Welcome screen.
  1. Select Enter data about the relying party manually.
The AD FS data source setup screen.
  1. Enter a Display name, e.g. Contensis and press Next.
The AD FS display name setup screen.
  1. Select AD FS Profile.
The AD FS profile setup screen.
  1. Skip the Configure Certificate step by pressing Next (it’s not supported by Contensis).
The AD FS configure certificate screen.
  1. Select Enable support for the WS-Federation Passive protocol and enter your CMS address with the addition of /authenticate/ on the end and press Next.

e.g. https://cms-customername.cloud.contensis.com/authenticate/

Please make sure you have the trailing end slash as without it the AD FS integration will not work

Note: Contensis must be available on https, non-https will not work.

The AD FS configure URL screen.
  1. Double check the CMS address is correct in the Relying party trust identifiers and then click Next.
The AD FS configure identifiers screen.
  1. Leave the default option of I do not want to configure multi-factor authentication settings for this relying party trust at this time selected.If you wish to configure multi-factor authentication select the second option. Multi-factor authentication is outside the scope of this article.
The AD FS configure multi-factor authentication screen.
  1. Select Permit all users to access this relying party and press Next if you want to allow all active directory users to login to Contensis. Alternatively select Deny all users access this relying party if you want to allow specific users later.
The AD FS issuance authorisation rules screen.
  1. You don’t need to change anything in the Ready to Add Trust step. Press Next.
The AD FS trust review settings screen.
  1. Select the Open the Edit Claim rules dialog for this relying party trust when the wizard closes checkbox and press Close.
The AD FS finish setup screen.

Configure claim rules

  1. The Edit Claim Rules window should open automatically after adding the relying party trust. Press Add Rule… to create a new rule.
The AD FS edit claim rules screen.
  1. Select Send LDAP Attributes as Claims from the Claim rule template list.
The AD FS choose rule type screen.
  1. Enter a Claim rule name e.g. Contensis claims
  2. Select Active Directory as the Attribute store
  3. As a minimum map the following LDAP attributes outlined in the table and press Next.
LDAP attribute Outgoing claim type
User-Principal-Name UPN
E-Mail-Addresses E-Mail Address
SAM-Account-Name Name
SAM-Account-Name Name ID
The AD FS edit rule screen.

If you want to populate the user’s first name and surname, you can also map the following LDAP attributes.

LDAP attribute Outgoing claim type
Given-Name Given Name
Surname Surname

You can also configure Contensis to automatically create groups which users are members of when the user first logs in. To enable this you need to map the following LDAP attribute.

LDAP attribute Outgoing claim type
Is-Member-Of-DL Group
  1. You’ll now see the claim listed. Press Add Rule… to add another claim
The AD FS added rules list.