Single Sign-On: AD FS Configuration

AD FS installation and configuration

1. Download AD FS 2.0 to your computer. 

NOTE You will need to be administrator on your AD server to perform this action.


2. Open the downloaded AdfsSetup.exe file to start the ADFS (Active Directory Federation Services) Installation Wizard.

3. On the Server Role screen select one of the options (you need at a minimum a Federation Server).

NOTE If you do not want to expose IIS on your AD server to the internet (ports 80 and 443 for HTTP and HTTPS), you can first set up a Federation Server behind the firewall, then build a second Federation Server Proxy that passes requests through the firewall to the Federation Server.

4. Once you complete the AD FS setup, check the Start the AD FS 2.0 Management snap-in tick-box, then click Finish.

Once this is completed, the AD FS 2.0 Management window should open right away. If not, open it from Start > Administrative Tools > AD FS 2.0 Management. This is the main AD FS control application.

5. Begin by clicking AD FS 2.0 Federation Server Configuration Wizard, which will help you to configure AD FS and connect it to both the Internet via IIS and to AD.

6. If you are configuring a new AD FS server, select Create a new Federation Service option.

7. Select the Stand-alone federation server option (for testing and evaluation purposes).

NOTE For high availability and load balancing, choose the New federation server farm

8. Specify your Federation Service name.

By default the configuration wizard will retrieve the SSL certificate bound to the Default Web Site in IIS and will use the subject name specified there. If you use a wildcard certificate you will need to enter the Federation Service name.


If there is no SSL certificate configured in IIS, then the configuration wizard will search in the local computer certificate store for any valid certificates. These display in the SSL certificate drop-down. If there are no certificates found, you can use the Server Certificate Generator in IIS to create one.

9. Continue with the configuration, and click close once it is complete.


ProofHQ - Single Sign-On configuration

To configure Single Sign-On on the ProofHQ side, log in to your ProofHQ account and navigate to Account Settings > Single sign-on tab where you will see the configuration options.

NOTE You need to be an Administrator on the account to access the configuration pages.


1. SSO URL: Paste your Entity ID in this field, e.g., http://{}/adfs/services/trust. This can be found in your Federation Metadata XML file.

NOTE Federation Metadata is found in the AD FS 2.0 snap-in > Service > Endpoints folder. In the Metadata section locate the one with the Federation Metadata type. To view metadata, paste this endpoint in your browser. You can also go to this link directly: https://{}/FederationMetadata/2007-06/FederationMetadata.xml after replacing the {} with your own details.

2. Login URL: Paste your SSO login URL in this field, e.g., http://{}/adfs/ls. This link can be located in the Federation Metadata XML file as well.

3. Logout URL: Enter the link similar to this example https://{}/adfs/ls/?wa=wsignout1.0 in this field and save. Once this is completed:

NOTE This step can be completed after configuring the Relying Party Trust (see below) in your AD FS.

4. Certificate fingerprint: In this field you need your the data from your certificate. Go to your ADFS 2.0 snap-in navigate to Service > Certificates > Token-signing. Right click on this entry to view the certificate.

From the Certificate Details tab copy the Thumbprint, and paste it in the ProofHQ Single Sign-On configuration tab.

NOTE The fingerprint characters can be separated with colons or spaces, but we do recommend removing these. If you have any troubles with your Single Sign-On configuration, please contact the Customer Support team.

Relying Party Trust

Once configuration is complete, you need to work in the Relying Party Trusts section in your AD FS. Navigate to Trust Relationships > Relying Party Trusts folder, and click Add a Relying Party Trust. This will start the configuration wizard. 

Select your data source - all metadata for your ProofHQ account is located under a link like this one: 

This will automatically configure most of the Relying Party Trust.

NOTE If you're having any troubles with establishing the connection from the URL, save the metadata as a file and choose to import data from a file.


NOTE When you have a full Custom domain (e.g., configured on your ProofHQ account replace the whole "{yoursubdomain}" part with your own domain to create your ProofHQ metadata link.

Once your Relying Party Trust configuration is complete you may choose to Open the Edit Claim Rules dialog to complete the set up.


Claim rules

You will want to configure two claim rules for ProofHQ: E-mail and Name ID.

  • Navigate to ProofHQ Relying Party Trust, and select the Edit Claim Rules option (1).
    The pop-up should automatically open if you selected this option at the end of configuring the trust.
  • Click on Add Rule (2) to open the claim configuration window.


Please see the details for the Claim Rules below:

      • E-mail (Send LDAP Attributes as Claims rule template)
      • NameID (Transform an Incoming Claim rule template)
This article last updated on 2018-07-12 19:02:54 UTC