# Active Directory Federation Services

{% hint style="warning" %}
This article has been moved from its original location in the Admin Guide.
{% endhint %}

### Introduction <a href="#introduction" id="introduction"></a>

Active Directory Federation Services (ADFS) is the single sign-on (SSO) solution. It facilitates access to all integrated applications and systems with just your Active Directory (AD) credentials.

***

### Install the ADFS role <a href="#install-the-adfs-role" id="install-the-adfs-role"></a>

To install the ADFS role:

1. Open **Server Manager>Manage>Add roles** and features. The Add Roles and Features wizard is launched.
2. On the Before you begin page, click **Next.**
3. On the **Select installation type page**, select **Role-based** or **Feature-based installation** and then click **Next.**
4. On the **Select destination server page**, click Select **a server from the server pool** and click **Next.**
5. On the **Select server roles page**, select **Active Directory Federation Services** and click **Next.**
6. On the confirmation page, click **Install.** The wizard displays the installation progress.
7. Verify the installed component and click **Close.**

***

### Configure the federation server <a href="#configure-the-federation-server" id="configure-the-federation-server"></a>

To configure the federation server:

1. On the **Server Manager Dashboard**, click the **Notifications** flag and then click **Configure the federation service** on the server. The Active Directory Federation Service Configuration Wizard is launched.
2. On the **Welcome** page, select **Create the first federation server in a federation server farm** and click **Next.**
3. On the **Connect to Active Directory Domain Services page**, specify an account with domain administrator rights for the Active Directory domain that this system is connected to and then click **Next.**
4. On the **Specify Service Properties** page, enter the following details before clicking **Next**:
   1. Browse to the location of the SSL certificate and import it.
   2. Enter a Federation Service Name. This is the same value provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).
   3. Enter a **Federation Service Display Name.**
5. On the **Specify Service Account** page, select Use an existing domain user account and click **Next.**
6. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
7. On the **Pre-requisite Checks** page, verify that all prerequisite checks were successfully completed and click **Configure.**
8. Review the results and check whether the configuration has been completed successfully on the **Results** page.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252FMb6zOS22xfKCRNzntWHz%252Fimage.png%3Falt%3Dmedia%26token%3D378d1542-029b-43d2-9fdf-28f949e48dea&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=3f570261&#x26;sv=2" alt=""><figcaption></figcaption></figure>

***

### Create a relying party <a href="#create-a-relying-party" id="create-a-relying-party"></a>

To create a relying party:

1. On the **Start** menu, click **Administrative Tools > AD FS Management**. The ADFS Management console is launched.
2. Click **Relying Party Trusts**. The wizard to add a relying party is launched.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252F1eXx2C9e10ya4KqfNCu0%252Fimage.png%3Falt%3Dmedia%26token%3D07233fa7-5446-4cab-96e7-233958908127&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=1fc44b87&#x26;sv=2" alt=""><figcaption></figcaption></figure>
3. On the Add Relying Party Trusts Wizard, select **Claims Aware** and then click **Start**.
4. Under **Select Data Source**, select **Enter data about the relying party manually**.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252F3xhISthjNNPtFG5AEBo0%252Fimage.png%3Falt%3Dmedia%26token%3D0d376b05-cf9f-4eef-83bc-a61902f7944a&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=7780393e&#x26;sv=2" alt=""><figcaption></figcaption></figure>
5. In **Specify Display Name** field, enter **MangoApps Cloud Platform**.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252FrhKoCOUEtH2ddC3aFF2p%252Fimage.png%3Falt%3Dmedia%26token%3D97a55ac7-6a5b-4517-8471-1e308c8f87ee&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=eaed9320&#x26;sv=2" alt=""><figcaption></figcaption></figure>
6. In the **Configure URL** section, select **Enable Support for SAML 2.0 WebSSO Protocol** and enter **Relying party service URL** as <https://adfs.xxxx.com/adfs/> (example).

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252FGpcOTrSKpTZbTFjAJyKD%252Fimage.png%3Falt%3Dmedia%26token%3D3025dc68-5241-455a-b8d2-cb2a79cbbde6&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=44af1bed&#x26;sv=2" alt=""><figcaption></figcaption></figure>
7. On the **Configure Identifiers** page, enter **Relying Party Trust Identifier** and click **Add.**

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252Fsb0wuinzPPj3RydhvEl4%252Fimage.png%3Falt%3Dmedia%26token%3Dc1338cb4-3923-4aa3-a660-149a5451251a&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=e2fd5851&#x26;sv=2" alt=""><figcaption></figcaption></figure>
8. Under **Choose Access Control Policy**, select **Permit everyone** and click **Next**.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252FMynnBDiMXIY9U1a0SN9Z%252Fimage.png%3Falt%3Dmedia%26token%3D621fb874-782d-44e0-bd1b-130211e01220&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=c47751a8&#x26;sv=2" alt=""><figcaption></figcaption></figure>
9. On the **Finish** page, select **Configure claims issuance policy for this application** and click **Close**. The Claim Issuance policy page is launched.
10. If the Claim Issuance Policy page does not open, open AD FS Management Snap and right-click **Relying on party trust > select Edit Claim Issuance Policy.**

***

### Create a new claim <a href="#create-a-new-claim" id="create-a-new-claim"></a>

1. Right-click **MangoApps Cloud** under **Relying Party Trusts** list and select **Edit Claim Issuance Policy** from the menu.
2. On the **Issuance Transform Rules** tab, click **Add Rule**.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252Fz5266zTVK8AGNnyb9ch2%252Fimage.png%3Falt%3Dmedia%26token%3D0d2789da-7426-4c9d-bf88-13401104fde3&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=bf001188&#x26;sv=2" alt=""><figcaption></figcaption></figure>
3. Under **Select Rule Template**, set **Send LDAP attributes as Claims** as the rule template and click **Next**.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252Fr0cYirJtDC5iM1IepqFg%252Fimage.png%3Falt%3Dmedia%26token%3D1c89f780-4a9f-4363-9da1-6c05461611ac&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=54779981&#x26;sv=2" alt=""><figcaption></figcaption></figure>
4. In the **Edit Rule** section, set the claim rule name as **LDAP Directory**.

   <figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252F27qVb5Fz5zXdp870kR9v%252Fimage.png%3Falt%3Dmedia%26token%3D9bc0ece5-ae51-4518-9409-3907d990519c&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=6071293b&#x26;sv=2" alt=""><figcaption></figcaption></figure>

<figure><img src="https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252FvhN5uuyGQ6X64HJZ2wgJ%252Fimage.png%3Falt%3Dmedia%26token%3D3b967f60-0d6e-4ded-8cbd-7fe089d57a6f&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=269a2dc1&#x26;sv=2" alt=""><figcaption></figcaption></figure>

1. Enter the appropriate values in each field based on the descriptions provided below.

| Field                                              | Action                                 |
| -------------------------------------------------- | -------------------------------------- |
| **Claim rule name**                                | Enter a name for the claim rule.       |
| **Attribute store**                                | Select Active Directory from the list. |
| Mapping of LDAP attributes to outgoing claim types |                                        |
| **LDAP Attribute**                                 | Enter the outgoing claim type.         |
| **E-mail Addresses**                               | Enter the Name ID.                     |
| **E-mail Addresses**                               | Enter the e-mail address.              |
| **User-Principal-Name**                            | Enter the user name.                   |

Click **OK**.

***

### Create a custom rule <a href="#create-a-custom-rule" id="create-a-custom-rule"></a>

1. On the **Edit Claim Issuance Policy** window, under the **Issuance Transform Rules** tab, click **Add Rule**. The **Select Rule Template** page is displayed.
2. From the **Claim rule template list**, select **Transform an Incoming Claim** and click **Next**. The **Edit Rule – LDAP EMAIL** window is displayed.
3. Enter appropriate values based on the actions suggested for each field.
4. Click **Finish**.

***

### Add one consumer endpoint <a href="#add-one-consumer-endpoint" id="add-one-consumer-endpoint"></a>

![](https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252FRLCu3j5nXniAiR5lri2N%252Fimage.png%3Falt%3Dmedia%26token%3D702001c5-c0d1-4cae-bd73-53710c2f4c50\&width=768\&dpr=4\&quality=100\&sign=76da0cb0\&sv=2)![](https://guides.mangoapps.com/~gitbook/image?url=https%3A%2F%2F1733114811-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-Lclpq021Ai9jH1_X4gO%252Fuploads%252FRgDPFBAkpVbZ4W4k1ktp%252Fimage.png%3Falt%3Dmedia%26token%3Dec5ed71b-15d4-419a-a893-951d4d9934fd\&width=768\&dpr=4\&quality=100\&sign=b3f50066\&sv=2)

***

### Configure the Single Sign-On settings <a href="#configure-the-single-sign-on-settings" id="configure-the-single-sign-on-settings"></a>

To configure the single sign-on settings login to MangoApps admin console.

1. On the MangoAppsCloud Platform console, go to **Settings**.
2. Open the **Single Sign-On** tab and click **Edit**.
3. Enter appropriate attribute values based on the descriptions provided below for each field.
4. Click **Save**. After this configuration, SSO can be enabled for administrators and users.

***

### Enable SSO for Administrators <a href="#enable-sso-for-administrators" id="enable-sso-for-administrators"></a>

1. On the MnagoApps Cloud Platform console, got to **Settings**.
2. On the Single Sign-On settings, click **Edit**. The Single Sign-On Settings page is displayed.
3. Select **Enable single sign-on for administrators**.
4. Click **Save**.

***

### FAQs <a href="#faqs" id="faqs"></a>

**What is the federation metadata address (hostname or URL) for Mango Apps?**

**Ans:** We do not have federation metadata published, you need to create a Relying Party Trust in your ADFS server and then put the metadata of your ADFS server in MA.

MA will read that metadata and configure it.

**What is the "Relying Party Identifier" used for MA?**

**Ans:** It should be "https\://\<yourdomain>.mangoapps.com/saml/consume".

**What is the SAML assertion consumer end point to be set ?**

**Ans**: It should be "https\://\<yourdomain>.mangoapps.com/saml/consume" and binding should be "POST".

**What claim rules to be set ?**

**Ans:** You need to use LDAP Attribute "E-Mail Address" as "NameID" as the Outgoing claim type by transforming the incoming claim.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://guides.mangoapps.com/integrations-guide/single-sign-on/sso-integrations-by-provider/sso-integrations-for-microsoft/active-directory-federation-services.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.