SSO - ADFS

In this article, we will look at how to set up AD FS so that it can be used as an external identity provider for Subscription Manager, allowing single sign-on capability between AD FS and Subscription Manager.

Follow the steps below:

IIS

1. Navigate to the location in IIS where Subscription Manager was installed.

2. Open the web.config file.

3. Scroll down to the “xmpro” section.

4. Under the “identityProviders” element, add a new element called “adfs”.

5. Specify the metadata address of your AD FS, as per the image below:

6. Copy the “baseUrl” value in the web.config - you will need it later in this guide.

Server Manager

1. Log on to your AD FS server and go to Tools –> AD FS Management

Relying Party Trust

2. Click Add Relying Party Trust

3. Select Claims aware and click Start

4. Select Enter data about the relying party manually and click Next

5. Choose a display name and click Next and Next again

6. Select Enable support for the WS-Federation Passive protocol, add the URL and click Next

7. Add the identifier for the application. Use the URL for Subscription Manager

8. Add the URL and click Next

9. Choose an access control policy and click Next. Continue to the last screen

Claims Issuance Policy

10. Select Configure claims issuance policy for this application and finish

11. In the AD FS Management window, click Edit Claim Issuance Policy… and click Add Rule

12. In the Claim rule template drop-down, select Send LDAP Attributes as Claims and click Next

13. Choose a name for the rule and map the claims

Login to Subscription Manager using AD FS

Now you should be ready. If you navigate to the Subscription Manager application, you will see the AD FS login option. Log in with your AD FS credentials.