# Single Sign-on with Microsoft ADFS

Platform9 supports Single Sign On with Microsoft Active Directory Federation Services (ADFS). This tutorial describes the procedure for configuring ADFS as a SAML Identity Provider in Platform9 Managed OpenStack.

## Prerequisites

The following components must be installed, and properly configured prior to attempting Platform9 SSO integration with ADFS.

* Windows Server
* Active Directory
* Active Directory Federation Services

### Step 1. Create Relying Party Trust

1\. Open the ADFS management console.

2\. Click on the top level folder **(ADFS 2.0)** and click **Add Relying Party Trust** from the Actions menu.

3\. Click **Start** to begin configuring a Relying Party Trust.

4\. Choose to **Import data about the relying party published online or on a local network**. Then click **Next**.

5\. Enter the **Federation metadata address**. Then click **Next**.

Set it to:

{% tabs %}
{% tab title="None" %}

```none
https://<account fqdn>/Shibboleth.sso/Metadata
```

{% endtab %}
{% endtabs %}

6\. Optionally change the **Display name**. Then click **Next**.

7\. Choose **I do not want to configure multi-factor authentication settings for this relying party trust at this time.** Then click **Next**.

8\. Choose **Permit all users access to this relying party**. Then click **Next**.

Review the Relying Party Trust configuration, and click **Next**. Leave **Open the Edit Claim Rules dialog...** box checked, and click **Close**.

### Step 2. Add Outgoing Claim Rules

Add **Outgoing Claim Rules** as needed. These attributes are added to the SAML Assertion Response, and sent to the Platform9 environment via HTTP POST. They can be used to create mappings in OpenStack. These mappings provide a way to associate ADFS users to resources in OpenStack. At a minimum, the attributes **FirstName** and **LastName** of the user are needed.

### Step 3. Complete remaining SSO setup instructions

Follow this [article](https://docs.platform9.com/managed-openstack/5.8/authentication-and-authorization/single-sign-on-sso) to complete your single sign-on configuration.

Please provide Platform9 a copy of the ADFS metadata, or a publicly accessible URL where we can access the metadata, when requesting SSO to be enabled in your environment. The ADFS metadata can be found at:

{% tabs %}
{% tab title="None" %}

```none
https://<ADFS HOSTNAME>/FederationMetadata/2007-06/FederationMetadata.xml
```

{% endtab %}
{% endtabs %}