1. Help Center
  2. Security & Privacy

How do I enable an Active Directory Federation Service (ADFS) Single Sign-On integration?

ADFS is a Single-Sign On application created by Microsoft that allows integration with applications not found in the Active Directory.

 

Follow these steps to enable an ADFS Single-Sign On integration with ContractSafe:

1) Log in to the application and click on Settings:

2) Click Security & Integrations:

3) Flip the toggle next to Single Sign-On to enable that feature:

Note: Your organization must be on the Professional Plan or higher to see this in your application Settings. See here for our pricing and feature info: ContractSafe Pricing

4) Click the Generate link and record that value for later use:

5) In the Email Identifier name, type "emailaddress" in all lower case letters:

6) Enter your externally accessible Metadata URL to your ADFS server. It should look something like this if your default settings are used:
https://[Your ADFS server domain name]/federationmetadata/2007-06/federationmetadata.xml

7) Click Save at the very bottom of this window

8) On your ADFS server, open ADFS management

9) Head to Trusted Relationships and click Relying Party Trusts:

10) Click Add Relying Party Trusts:

11) Click Start:

12) Select the "Enter data about the relying party manually" radio button option and the click Next at the bottom:

13) Enter the Display Name: "ContractSafe" and click Next:

14) AD FS Profile should be selected here, then click Next:

15) Click Next again:

16) Check the box for "Enable support for the SAML 2.0 WebSSO protocol" and enter the URL you received in Step 4 into this field and then click Next.

17) Enter the URL from Step 4 in "Relying party trust identifier:" and then click Add and then click Next:

18) Depending on if you want to use your own Dual-Factor Authentication, then select the appropriate radio button option. In this example, we've chosen not to use DFA. Then click Next:

19) Select "Permit all users to access this relying party" and click Next:

20) Click Next again:

21) Leave "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes" checked and click Close:

22) Click Add Rule...:

23) Make sure under "Claim rule template" that "Send LDAP Atributes as Claims" is selected and click Next:

24) Now set your claim rule name. We suggest using something easily identifiable like "ContractSafe". You will then select "Active Directory" under "Attribute store:".

Then under "Mapping of LDAP attributes to outgoing claim types" select your AD attribute from the drop down list (Note: this field in AD needs to match the email address that is in ContractSafe).

Manually enter "Name ID" in the "Outgoing Claim Type" column and add another with an LDAP attribute of "E-Mail-Addresses" and the Outgoing claim select E-Mail Address. Then click Finish.

25) Click Apply:

26) Click OK:

You should now be able to authenticate to ContractSafe via your ADFS server:

 

Login url:

https://<ADFS Server URL>/adfs/ls/idpinitiatedsignon.aspx?loginToRp=<ADFS Indentifier>

Sample Url:

https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://app.contractsafe.com/saml2_auth/d4988c241d9d49cbb861a25412f943d8/acs/