EasySSO Configuration

  1. Open EasySSO and select SAML 
  2. On the SAML configuration screen make sure Enable SAML is ticked
  3. Click the Certificates tab

    1. Add the IdP Metadata URL for the ADFS server (the standard is to have the url ending with federationmetadata/2007-06/federationmetadata.xml )
    2. Click Load Certificate
  4. On the Certificates page:

    1. Generate the SP Signing certificate
  5. Click "Save":
  6. On the General page:
    1. Set the Login Binding Type to "POST"
    2. Set the POST Binding URL to the ADFS endpoint https://<yourADFSServer>/adfs/ls/
    3. Make sure Sign SP Login Request is ticked
  7. On the General page:
    1. Set Logout Binding Type to "POST"
    2. Enable Sign SP Logout request

    3. Enable Sign SP Logout response

    4. Enable Verify Logout Request Signature

    5. Enable Verify Logout Response Signature

  8. On the General page:
    1. Configure settings for "New Users", first time login from SAML provider
    2. Configure settings for "Existing Users" which have previously logged in
    3. Configure default groups to ensure that logged in users are provisioned with the correct groups and permissions
  9. Save settings

Export metadata.xml

  1. On the General page:
    1. Save the metadata.xml file to use later. The URL can also be used directly if your network is configured to allow it



Active Directory Federations Services

Inside Active Directory Federation Services

Create the Relying Party Trust

  1. Right click on Relying Party Trusts,
  2. Click Add Relying Party Trust...
  3. On the trust party wizard Welcome page, click Start
  4. On the Select Data Source page

    1. Import the previously created metadata.xml file ("Import data about the relying party from a file"), or Import from URL if you have the URL of the metadata endpoint
    2. Click Next
  5. On the Specify Display Name page

    1. Set Display Name for example "EasySSO for Jira"
    2. Click Next
  6. On the Configure Multi-factor Authentication Now? page

    1. Make sure 'I do not want to configure multi-factor authentication settings for this relying party trust at this time' is selected
    2. Click Next
  7. On the Access Control Policy page
    1. Make sure 'Permit all users to access this relying party' is selected
    2. Click next
  8. On the Ready to Add Trust step
    1. Click next
  9. On the Finish step
    1. Make sure Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is unticked
    2. Click Close
  10. Right click the Relying Party Trust just created
    1. Select Properties
  11. On Advanced tab
    1. Set Secure hash algorithm to SHA-1

Create the Claim Issuance Policy

  1. Right click the Relying Party Trust just created
    1. Click Edit Claim Issuance Policy
  2. On the Edit Claim Rules window
    1. Click Add Rule
  3. On the Choose Rule Type step


    1. Select Send LDAP Attributes as Claims
    2. Click Next
  4. On Configure Claim Rule step

    1. Set Claim Rule Name to 'EasySSO <Platform> Claims'
    2. Set Attribute Store to Active Directory
    3. Set Mapping of LDAP attributes to outgoing claim types
      1. Display Name → urn:oid:2.16.840.1.113730.3.1.241
      2. Email Addresses → urn:oid:0.9.2342.19200300.100.1.3
      3. UPN  → urn:oid:0.9.2342.19200300.100.1.1
      4. UPN  → Name Id
    4. Click Finish

Add session information transformation

  1. On the Edit Claim Rules window
    1. Click Add rule
  2. On the Choose Rule Type step
    1. Set Claim rule template to "Transform an Incoming Claim"
    2. Click Next
  3. On Configure Claim Rule step
    1. Set Claim Rule Name "EasySSO Session information"
    2. Set attributes for claim types, and pass through all values
    3. Set Incoming claim type to UPN
    4. Set Outgoing claim type to Name ID
    5. Set Outgoing name ID format to UPN
  4. Click Finish

Encrypted Assertions

EasySSO Service Provider side

  1. Open the EasySSO Admin page
  2. Click the SAML button to be taken to the SAML Admin configuration
  3. Check the 'Encrypt Assertions' check box
  4. Click the Save button at the bottom of the page to save the updated configuration
  5. Click the 'Certificates' tab
  6. Click the button to download the SP Certificate. This certificate is in a CER format

ADFS server side

  1. Open your SAML Administration page
  2. Open the SAML Client configuration
  3. Upload the SP Certificate previously downloaded into the encrypted certificate section.

If you enable Encrypted Assertions the following PowerShell script will need to be run on the ADFS Server. Once the script has been run, select the relying party trust to prevent checking the encryption certificate revocation list(CRL). The certificate only exists on your EasySSO server.

Get-ADFSRelyingPartyTrust | Select-Object name,Identifier |
Out-GridView -Title "Select a relying party" -PassThru |
%{ Set-AdfsRelyingPartyTrust -TargetIdentifier ([string] $_.Identifier) -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None }



You've completed the configuration of EasySSO SAML with Active Directory Federation Services (ADFS)!

For more customisation options, check out EasySSO with SAML - Configuration.

Configuring Users

For users to successfully log in, they must also have permission to access the application. See EasySSO SAML JIT User Provisioning for more details.

EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free