Configure SSO with ADFS for 15Five

Ben Pemstein Ben Pemstein
· Updated

These steps configure Active Directory Federation Services (ADFS) to pass user attributes and a valid NameID to 15Five over SAML 2.0. Complete these steps on the ADFS side after you have configured the 15Five SAML settings.

Before You Begin

  • SAML SSO must already be enabled in 15Five with your subdomain and metadata saved.
  • You need admin access to your ADFS server to create and edit Relying Party Trust claim rules.

Steps

Configure claim rules to pass user attributes

  1. Open ADFS Management and navigate to Relying Party Trusts.
  2. Select your 15Five Relying Party Trust entry.
  3. Click Edit Claim Issuance Policy.
  4. Click Add Rule.
  5. Select Send LDAP Attributes as Claims as the rule template.
  6. Click Next.
  7. Name the rule and select Active Directory as the attribute store.
  8. Map the LDAP attribute E-Mail-Addresses to the outgoing claim type E-Mail Address.
  9. Map any additional required attributes (first name, last name, employee ID) to their corresponding outgoing claim types.
  10. Click Finish.

Configure the Transform rule for NameID

  1. Click Add Rule again in the same Edit Claim Issuance Policy dialog.
  2. Select Transform an Incoming Claim as the rule template.
  3. Click Next.
  4. Set Incoming claim type to E-Mail Address.
  5. Set Outgoing claim type to Name ID.
  6. Set Outgoing name ID format to urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
  7. Click Finish, then click OK to save all claim rules.

If Something Goes Wrong

Issue Check Fix
No user attributes arrive in 15Five Claim rules exist on the Relying Party Trust Add the LDAP attribute mapping rule as described above; confirm Active Directory is the attribute store
Attribute mismatch error on login Transform rule for NameID is missing or uses the wrong format Add the Transform rule and set outgoing name ID format to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Email claim not passing Outgoing claim type is not set to E-Mail Address Edit the LDAP rule and confirm the mapping from E-Mail-Addresses to E-Mail Address
NameID not recognized by 15Five Email rule and Transform rule are both sending NameID Remove NameID from the LDAP attribute rule; NameID must come only from the Transform rule

Not Covered Here

This article covers ADFS claim rule configuration only — for 15Five-side SAML attribute mapping and SSO settings, see the primary SSO setup article.

Related Articles

Was this article helpful?

Sorry to hear that. Tell us what was missing →