Configure ADFS (Active Directory Federation Services)

To use ADFS, perform the following:

Configure Sitefinity CMS.
1. Navigate to Administration» Settings» Advanced.
2. In the left pane, expand Authentication» SecurityTokenService» AuthenticationProviders» ADFS.
3. In Metadata Address filed, enter the ADFS Server address, concatenated by /federationmetadata/2007-06/federationmetadata.xml
  For example, enter https://<your-ADFS-server.com>/federationmetadata/2007-06/federationmetadata.xml
4. In Wtrealm field, enter the identifier of the relying party that is to be configured in the ADFS server.
  For example, enter urn:sitefinity
  
  NOTE: In the ADFS configuration, the Wtrealm and the Relying party identifier must be the same.
5. In Callback pathfield, set the property to /Sitefinity/signin-custom.
6. Select the Enabled checkbox.
7. In Auto assigned roles, enter a comma-separated list of the roles that will be automatically assigned to users, when they register with this provider.
  For more information about using auto-assigned roles together with user groups, see Use external authentication providers with user groups.
8. Save your changes.
Configure the ADFS server.
1. On the ADFS server machine, open the ADFS Management application.
2. Add a new claims-based relying party for Sitefinity CMS.
  Enter the relying party data manually.
3. Enable support for the WS-Federation Passive protocol.
4. Add endpoint for the relying party in the following way:
  https://<your-sitefinity-website.com>.com/Sitefinity/signin-custom.
  This must match the callback path configured in Sitefinity.
5. Enter the identifier of the relying party.
  It must be the same as the Wtrealm field, configured in Step 1.d.
  For example, urn:sitefinity.
6. Close the Relying Party Trust window.
  The Edit Claim rules window appears.
If the window does not appear, perform the following:
1. In the ADFS Management console, navigate to Relying Party Trusts.
2. Select the relying party for Sitefinity and click Edit Claims Issuance Policy.
  By default the list of claim rules is empty.
3. Create a new claim rule of type Send LDAP Attributes as Claims.
4. Select Active Directory as attribute store and fill out the following:
  - User Principal Name (UPN) to be equal to Name ID (identifier) - this is mandatory and unique identifier used by Sitefinity CMS.
  - E-Mail Addresses to be equal to E-Mail Address - this is mandatory and unique identifier.
  - Display-Name to be equal to Name – This claim, and other claims, are optional.

RESULT: Next time when the login screen is displayed, it will have a button that you can use to login with ADFS.

Want to learn more?

Enhance your Sitefinity skills by enrolling in free training sessions. Become Sitefinity certified through Progress Education Community to strengthen your professional credentials.

Get started with Integration Hub | Sitefinity Cloud

This free lesson teaches administrators, marketers, and other business professionals how to use Sitefinity Integration Hub to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting your Sitefinity instance and your sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity ASP.NET Core and take advantage of its decoupled architecture and modern development model.