Instructions for ADFS Single Sign On Setup

This article is an overview of the steps required to integrate ContractSafe with Active Directory (ADFS). In order to set this up, you must have Account Manager access or above in ContractSafe.


1. Log into ContractSafe and go to Settings then click Settings.


2. Click Security & Integrations.


3. Turn on Single Sign-On.


4. Click Generate and record this value for later use.



5. In the Email Identifier name we'll enter "emailaddress" NOTE: this is case sensitive.


6. Enter your externally accessible Metadata URL to your ADFS server. Looks something like this if default settings are used : https://[Your ADFS server domain name]/federationmetadata/2007-06/federationmetadata.xml



7. Click Save at the bottom.

8. On your AD FS server open AD FS management.

9. Go to Trusted Relationships > Relying Party Trusts.


10. Click Add Relaying Party Trusts.


11. Click Start.


12. Select the "Enter data about the relying party manually" radio and then click Next >.


13. Enter the Display name: "ContractSafe" and click Next >.


14. AD FS Profile should be selected and click Next >.


15. Click Next >.


16. Check the check box for "Enable support for the SAML 2.0 WebSSO protocol" and enter the url we got before into this field then click Next >.


17. Enter the URL from before in "Relaying party trust identifier:" then click Add and then click Next >.


18. Depending on if you want to use your own 2-Factor select the appropriate radio. In this example I'm selecting not to uses multi-factor. Click Next >.


19. Select "Permit all users to access this relying party" and click Next >.


20. Click Next >.


21. Leave "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes" checked and click Close.


22. Click Add Rule...


23. Make sure under "Claim rule template" that "Send LDAP Attributes as Claims" is selected then click Next >.


24. Set your claim rule name. We suggest using something easily identifiable like "Contract Safe". You will then select "Active Directory" under "Attribute store:" Then under "Mapping of LDAP attributes to outgoing claim types" you'll select your AD attribute from the drop down (this field in AD needs to match their e-mail address that is in ContractSafe.) We'll then manually enter "Name ID" in the "Outgoing Claim Type" column. Then add another and in the LDAP attribute add E-Mail-Addresses and int the Outgoing claim select E-Mail Address. Then click Finish.


25. Click Apply.


26. Click Ok.


You should now be able to authenticate to ContractSafe via your ADFS server.

Login url:

https://<ADFS Server URL>/adfs/ls/idpinitiatedsignon.aspx?loginToRp=<ADFS Indentifier>

Sample Url:

https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://app.contractsafe.com/saml2_auth/d4988c241d9d49cbb861a25412f943d8/acs/