Topics

All topics

Configure ADFS (Active Directory Federation Services)

To use ADFS, perform the following: 

  1. Configure Sitefinity CMS. 
    1. Navigate to Administration » Settings » Advanced
    2. In the left pane, expand Authentication » SecurityTokenService » AuthenticationProviders » ADFS
    3. In Metadata Address filed, enter the ADFS Server address, concatenated by /federationmetadata/2007-06/federationmetadata.xml 
      For example, enter https://<your-ADFS-server.com>/federationmetadata/2007-06/federationmetadata.xml 
    4. In Wtrealm field, enter the identifier of the relying party that is to be configured in the ADFS server.
      For example, enter urn:sitefinity

      NOTE: In the ADFS configuration, the Wtrealm and the Relying party identifier must be the same.

    5. In Callback path field, set the property to /Sitefinity/signin-custom.
    6. Select the Enabled checkbox. 
    7. In Auto assigned roles, enter a comma-separated list of the roles that will be automatically assigned to users, when they register with this provider.
      For more information about using auto-assigned roles together with user groups, see Use external authentication providers with user groups.
    8. Save your changes.
  2. Configure the ADFS server.
    1. On the ADFS server machine, open the ADFS Management application.
    2. Add a new claims-based relying party for Sitefinity CMS.
      Enter the relying party data manually.
    3. Enable support for the WS-Federation Passive protocol.
    4. Add endpoint for the relying party in the following way:
      https://<your-sitefinity-website.com>.com/Sitefinity/signin-custom.
      This must match the callback path configured in Sitefinity.
    5. Enter the identifier of the relying party.
      It must be the same as the Wtrealm field, configured in Step 1.d.
      For example, urn:sitefinity.
    6. Close the Relying Party Trust window.
      The Edit Claim rules window appears.
  3. If the window does not appear, perform the following:
    1. In the ADFS Management console, navigate to Relying Party Trusts.
    2. Select the relying party for Sitefinity and click Edit Claims Issuance Policy.
      By default the list of claim rules is empty.
    3. Create a new claim rule of type Send LDAP Attributes as Claims.
    4. Select Active Directory as attribute store and fill out the following:
      • User Principal Name (UPN) to be equal to Name ID (identifier) - this is mandatory and unique identifier used by Sitefinity CMS.
      • E-Mail Addresses to be equal to E-Mail Address - this is mandatory and unique identifier.
      • Display-Name to be equal to Name – This claim, and other claims, are optional.

RESULT: Next time when the login screen is displayed, it will have a button that you can use to login with ADFS.
NEW TO SITEFINITY?

Want to learn more?

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Next article

Configure the OpenID Connect provider