Active Directory Federation Service

Configure Active Directory Federation Service (ADFS) as a SAML identity provider for single sign-on to FOSSA.

3 min readUpdated Jul 9, 2026

Overview

Active Directory Federation Service (ADFS) acts as a SAML 2.0 identity provider for FOSSA. To connect them, you create a Relying Party Trust for FOSSA in ADFS, map your Active Directory attributes to the claims FOSSA expects, then give FOSSA your ADFS sign-on URL and token-signing certificate.

Note

SAML single sign-on must be enabled for your organization before the settings below appear. SSO is a premium feature, contact your FOSSA account team to enable it.

Before you start, open FOSSA's authentication settings in another tab: go to Settings → Organization → Authentication. The Callback URL and Audience URI / SP Entity ID values there are needed while configuring ADFS.

Configuring the Relying Party Trust

  1. 1

    Open the AD FS Management console

    On your ADFS server, open Server Manager, then choose Tools → AD FS Management.

  2. 2

    Start the Add Relying Party Trust wizard

    Click Add Relying Party Trust to open the wizard. Select Claims aware and click Start, then choose to enter data about the relying party manually.

  3. 3

    Enable the SAML 2.0 WebSSO protocol

    Tick Enable support for the SAML 2.0 WebSSO protocol. In the box underneath, paste the Callback URL from FOSSA's Settings → Organization → Authentication page.

  4. 4

    Set the relying party trust identifier

    Add a relying party trust identifier that matches the Audience URI / SP Entity ID value shown on FOSSA's Authentication page.

    Warning

    The identifier must equal the Audience URI / SP Entity ID that FOSSA generates for your organization. Older setups used the literal string FOSSA; copy the current value from the Authentication page instead, a mismatch causes the SAML audience check to fail.

  5. 5

    Enable the claims issuance policy

    Tick Configure claims issuance policy for this application, then finish the wizard. This opens the policy editor, where you define what Active Directory sends to FOSSA at login.

  6. 6

    Map Active Directory attributes to claims

    Click Add Rule and choose the Send LDAP Attributes as Claims template. Give the rule a name, set Active Directory as the attribute store, and add these mappings:

    LDAP attributeOutgoing claim type
    E-Mail-AddressesName ID
    Given-NamefirstName
    SurnamelastName

    Warning

    FOSSA reads the user's email from the Name ID, and reads firstName and lastName to build their display name. Spell the outgoing claim types exactly as shown, a mismatch leaves new users without a name or blocks login entirely.

  7. 7

    Export the token-signing certificate

    In the AD FS Management tool, go to Service → Certificates in the left sidebar. Select the token-signing certificate and click View Certificate. On the Details tab, click Copy to File and export it as Base-64 encoded X.509 (.CER). Open the exported file in a text editor, you'll paste its contents into FOSSA next.

  8. 8

    Finish setup in FOSSA

    Back in FOSSA, on the Settings → Organization → Authentication page:

    1. In Identity Provider Single Sign On URL, enter your ADFS server URL with /adfs/ls appended (for example, https://adfs.example.com/adfs/ls).
    2. In Certificate, paste the contents of the certificate you exported.
    3. Click Save Changes.

Result

ADFS is now configured to authenticate users to FOSSA. For their first login, users sign in one of two ways:

  • Visit the SAML login link shown on FOSSA's Authentication page, or
  • Go to /adfs/ls/idpinitiatedsignon on your ADFS server, if IdP-initiated sign-on is enabled.

After their first login, users can sign in by entering their email address on the FOSSA login page.

Note

FOSSA can also set each user's organization role and synchronize their team membership from SAML attributes. See the SAML attributes guide for the supported role and teams claims.

© 2026 FOSSA, Inc.support@fossa.com