In this article, we will look at how to set up AD FS so that it can be used as an external identity provider for Subscription Manager, allowing single sign-on capability between AD FS and Subscription Manager.

Follow the steps below:


1. Navigate to the location in IIS where Subscription Manager was installed.

You can right-click on the application name in IIS and choose “Explore“.

2. Open the web.config file.

3. Scroll down to the “xmpro” section.

It might be encrypted, which will require you to decrypt it first. For instructions, please refer to the How to encrypt and decrypt a web.config file Knowledge Base article.

4. Under the “identityProviders” element, add a new element called “adfs”.

5. Specify the metadata address of your AD FS, as per the image below:

Set the correct URL for the metadataAddress value. An example of how the URL might look is ““.

Verify your URL by browsing to it in a browser.

6. Copy the “baseUrl” value in the web.config - you will need it later in this guide.

Warning: you will use this value to create a relying party trust between the Subscription Manager application and AD FS

Server Manager

1. Log on to your AD FS server and go to Tools –> AD FS Management

Relying Party Trust

2. Click Add Relying Party Trust

3. Select Claims aware and click Start

4. Select Enter data about the relying party manually and click Next

5. Choose a display name and click Next and Next again

6. Select Enable support for the WS-Federation Passive protocol, add the URL and click Next

This is the base URL you copied from the web.config file.

7. Add the identifier for the application. Use the URL for Subscription Manager

8. Add the URL and click Next

9. Choose an access control policy and click Next. Continue to the last screen

For this article, we are going to choose Permit everyone

Claims Issuance Policy

10. Select Configure claims issuance policy for this application and finish

11. In the AD FS Management window, click Edit Claim Issuance Policy… and click Add Rule

12. In the Claim rule template drop-down, select Send LDAP Attributes as Claims and click Next

13. Choose a name for the rule and map the claims

Login to Subscription Manager using AD FS

Now you should be ready. If you navigate to the Subscription Manager application, you will see the AD FS login option. Log in with your AD FS credentials.

You will be asked to link your account when you sign in for the first time. If so, fill in your information and click Link Account

Last updated