In this article, we will look at how to set up AD FS so that it can be used as an external identity provider for Subscription Manager, allowing single sign-on capability between AD FS and Subscription Manager.
Follow the steps below:


1. Open the location in IIS where Subscription Manager was installed.
You can right-click on the application name in IIS and choose “Explore“.
2. Open the web.config file using a text editor such as Notepad or Notepad++.
3. Scroll down to the “xmpro” section.
It might be encrypted, which will require you to decrypt it first. For instructions, please refer to the How to encrypt and decrypt a web.config file Knowledge Base article.
4. Under the “identityProviders” tag, add a new item called “adfs”.
5. Specify the metadata address of your AD FS, as per the image below:
Set the correct URL for the metadataAddress value. An example of how the URL might look is ““.
Verify your URL by browsing to it in a browser.
6. Copy the “baseUrl” value in the web.config
Warning: you will use this value to create a relying party trust between the Subscription Manager application and AD FS

Server Manager

1. Log on to your AD FS server and go to Tools –> AD FS Management

Relying Party Trust

2. Click Add Relying Party Trust
3. Select Claims aware and click Start
4. Select Enter data about the relying party manually and click Next
5. Choose a display name and click Next and Next again
6. Select Enable support for the WS-Federation Passive protocol, add the URL and click Next
This is the base URL you copied from the web.config file.
7. Add the identifier for the application. Use the URL for Subscription Manager
8. Add the URL and click Next
9. Choose an access control policy and click Next. Continue to the last screen
For this article, we are going to choose Permit everyone

Claims Issuance Policy

10. Select Configure claims issuance policy for this application and finish
11. In the AD FS Management window, click Edit Claim Issuance Policy… and click Add Rule
12. In the Claim rule template drop-down, select Send LDAP Attributes as Claims and click Next
13. Choose a name for the rule and map the claims

Login to Subscription Manager using AD FS

Now you should be ready. If you navigate to the Subscription Manager application, you will see the AD FS login option. Log in with your AD FS credentials.
You will be asked to link your account when you sign in for the first time. If so, fill in your information and click Link Account