How to set up Single Sign On with ADFS

Verifying SSO using ADFS for Upkeep

Jason Visenberg avatar
Written by Jason Visenberg
Updated over a week ago

Available On: Business Plus

ADFS Settings

This document is to help verify the ADFS settings and the corresponding UpKeep settings after the wizard has completed.

Please see Setup SSO using ADFS for Upkeep for the initial setup process.

Relying Party Trust Settings

1 - Sign in to the server where ADFS is installed

2 - Open the ADFS management console and select Trust Relationships, then Relying Party Trusts in the left console tree.​​

3 - Right click on the UpKeep Relying Party Trust and choose Properties.​​​​​​

4 - Monitoring​​​​​: Monitoring should be empty.

5 - Identifiers​​

Relying party identifiers:

6 - Encryption​​​: Should be empty

7 - Signature​​​​: Should be empty.

8 - Accepted Claims: Should be empty.

9 - Organization​​​: Should be empty

10 - Endpoints
There should be 2 Endpoints here, one with Index 0 and one with Index 1. Select Endpoint with the Index 0 and click Edit.​​​​​

Binding: POST
Set the trusted URL as default: Unchecked
Index: 0
Trusted URL: This URL will come from your UpKeep SAML Authentication settings page.

Click OK to return the Endpoints listing. Select Endpoint with Index 1 and click Edit.

The setting will be the same as the first Endpoint except for the Index and Trusted URL.
Index: 1
Trusted URL:
Click OK to return to the Endpoints listing.

1 1- Proxy Endpoints​​​: Should be empty.

12 - Notes​​: Should be empty

13 - Advanced​​​: Ensure SHA-256 is selected

From the main ADFS console window under the Relying Party Trusts window, Right-Click on the UpKeep Relying Party Trust and select Edit Access Control Policy.​​​​​​

Ensure Permit everyone is selected.​​​

Click ok to return.

Transform Claim Rules Setup

Setting up a Transform Claim Rule is optional and won’t prevent the functionality of your SSO setup but it is recommended to facilitate the transfer of Active Directory attributes to UpKeep.

1 - From the main ADFS console window under the Relying Party Trusts window, Right-Click on the UpKeep Relying Party Trust and select Edit Claims Issuance Polic​​​y

2 - You see two Issuance Transform Rules such as below. ​​​Highlight the first rules and click Edit Rule

3 - E-Mail rule should match as below​​​

Claim Rule Name: E-mail
Attribute Store: Active Directory
LDAP Attribute: E-Mail-Addresses
Outgoing Claim Type: E-Mail Address
Click OK to return to the rules listing.

4 - Highlight the second rule.​​​ Click Edit Rule.

Claim rule name: NameID

Incoming claim type: E-mail Address or UPN (if UPN is in email format)
Outgoing claim type: Name ID
Outgoing name ID format: Email
Select Pass through all claim values
Click OK to return.

UpKeep SAML Settings

1 - Sign in to your UpKeep administration page ( Click Settings in the bottom left corner.

Select Authentication. Select Custom SAML 2.0, Configure.​​

2 - You will see the following screen​​​. Let’s deal with each section individually.

  • Unique Company Identifier​​: Enter an identifier that is unique to your company. This is case-sensitive.

Note: If you change this it will change your SSO Post Back URL (which is needed in Section A, Step 10)

  • SSO Post Back URL (Assertion Consumer Service URL)​​

This unique URL is used to connect to your on premise ADFS. This URL is needed in section A, Step 10 above.

  • SAML 2.0 Endpoint and Identity Provider Issuer

​​SAML 2.0 Endpoint is the amalgamation of your main ADFS URL (eg with the URL path of your SAML 2.0 Endpoint found in your ADFS management console. (The default should be /adfs/ls)​

Merging the main URL with the SAML 2.0 URL Path above would produce:

Identity Provider Issuer
From the ADFS management console, highlight Service in the navigation tree, right-click on Service, click Edit Federation Service Properties.

Enter the Federation Service identifier in the Identity Provider Issuer field.​​​​

  • Public certificate​​

This certificate is token signing certificate from the ADFS management console.

Browse to AD FS -> Service -> Certificates. Highlight the Token-signing certificate. Right-click, View Certificate.

Click the Details tab, Copy to File.​​

Export the certificate as Base-64 encoded X.509 (.CER).​​​

Paste the contents of this CER file (text file) into the public certificate field.

Did this answer your question?