Connect Your App to ADFS

To connect your application to Microsoft's Active Directory Federation Services (ADFS), you will need to provide the following information to your ADFS administrator:

• Realm Identifier: urn:auth0:{yourTenant}

• Endpoint: https://{yourDomain}/login/callback or https://<YOUR CUSTOM DOMAIN>/login/callback, if you are using a custom domain.

You can use a script to to setup the connection or set it up manually.

Run the following two commands in the Windows PowerShell window.

(new-object Net.WebClient -property @{Encoding = [Text.Encoding]::UTF8}).DownloadString("https://raw.github.com/auth0/adfs-auth0/master/adfs.ps1") | iex

AddRelyingParty "urn:auth0:{yourTenant}" "https://{yourDomain}/login/callback"

For automated integration, this script uses the ADFS PowerShell SnapIn to create and configure a Relying Party that will issue, for the authenticated user, the following claims: email, upn, given name, and surname.

The script creates the Relying Party Trust on ADFS, as follows:

$realm = "urn:auth0:{yourTenant}";
$webAppEndpoint = "https://{yourDomain}/login/callback";
Add-PSSnapin Microsoft.Adfs.Powershell
Add-ADFSRelyingPartyTrust -Name $realm -Identifier $realm -WSFedEndpoint $webAppEndpoint
$rp = Get-ADFSRelyingPartyTrust -Name $realm

The script also creates rules to output the most common attributes, such as email, UPN, given name, or surname:

$rules = @'
@RuleName = "Store: ActiveDirectory -> Mail (ldap attribute: mail), Name (ldap attribute: displayName), Name ID (ldap attribute: userPrincipalName), GivenName (ldap attribute: givenName), Surname (ldap attribute: sn)"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
    types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,displayName,userPrincipalName,givenName,sn;{0}", param = c.Value);
'@
Set-ADFSRelyingPartyTrust –TargetName $realm -IssuanceTransformRules $rules
$rSet = New-ADFSClaimRuleSet –ClaimRule '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
Set-ADFSRelyingPartyTrust –TargetName $realm –IssuanceAuthorizationRules $rSet.ClaimRulesString

1. Open the ADFS Management Console.

2. On the right side of the console, click Add Relying Party Trust*

3. Click Start.

4. Select Enter data about the relying party manually, and click Next.

5. Type a name (such as {yourAppName}), and click Next.

6. Use the default (ADFS 2.0 profile), and click Next.

7. Use the default (no encryption certificate), and click Next.

8. Check Enable support for the WS-Federation..., and type this value in the textbox: https://{yourDomain}/login/callback,or if you are using a custom domain, use https://<YOUR CUSTOM DOMAIN>/login/callback

9. Click Next.

10. Add a Relying Party Trust identifier with this value: urn:auth0:{yourTenant}

11. Click Add, and then Next.

12. Leave the default Permit all users..., and click Next.

13. Click Next, and then Close.

1. If you're using Windows Server 2019, the Edit Claim Issuance Policy dialog box automatically opens when you finish the Add Relying Party Trust wizard. If you're using Windows 2012 or 2016, follow these steps:

   In Windows Server 2012	In Windows Server 2016
   In the Actions panel on the right side of the console, find the Relying Party Trust you just created. Beneath it, click Edit Claim Issuance Policy.	In the console tree, under ADFS, click Relying Party Trusts. On the right side of the console, find the Relying Party Trust you just created. Right-click it and click Edit Claim Issuance Policy.

2. In the Edit Claim Issuance Policy Window, under Issuance Transform Rules, click Add Rule....

3. Leave the default Send LDAP Attributes as Claims.

4. Give the rule a name that describes what it does.

5. Under Attribute Store, select Active Directory.

6. Select these mappings under Mapping of LDAP attributes to outgoing claim types, and click Finish.

   LDAP Attribute	Outgoing Claim Type
   E-Mail-Addresses	E-Mail Address
   Display-Name	Name
   User-Principal-Name	Name ID
   Given-Name	Given Name
   Surname	Surname

The mappings in the previous steps are the most commonly used, but if you need additional LDAP attributes with information about the user, you can add more claim mappings.

1. If you closed the window on the previous step, select Edit Claim Rules on the context menu for the Relying Party Trust you created, and edit the rule.

2. Create an additional row for every LDAP attribute you need, choosing the attribute name in the left column and desired claim type in the right column.

3. If the claim type you are looking for doesn't exist, you have two options:

   1. Type a namespace-qualified name for the new claim (for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department).

   2. Register a new claim type (under ADFS > Services > Claim Descriptions on the ADFS admin console), and use the claim name in the mapping. Auth0 uses the name part of the claim type (for example department in http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department) as the attribute name for the user profile.

Now that you have a working connection, the next step is to configure your application to use it. You can follow our step-by-step quickstarts or use our libraries and API.

• Get started with our Quickstarts

• Configure your application using our Lock login form

• Configure your application using our Auth0.js library and your own UI

• Use our Authentication API to authenticate