Configuring ADFS for Single-Sign-On

Posted By Posted by: EPM Partners on March 27, 2013

Configuring Single-Sign-On using Active Directory Federated Services (AFDS v2.0) to EPMonDemand requires a number of configurations to be made on your AD infrastructure, this document details those steps.



Configure relying party in ADFS

Manually configure with the following settings:

  1. Name: EPMonDemand
  2. Profile: AD FS 2.0
  3. Enable WS-Federation Passive protocol
  4. WS-Federation Passive URL: https://[customer]
  5. Relaying party trust identifier:[customer]
  6. Permit all users to access this relaying party

Note: a second relaying party will be required for the development environment, for this repeat the above steps but use the alternate URL in step 4 of https://[customer]

Replace [customer] in each of the above addresses with your site prefix.


Configure the claim rules

Configure the following Issuance Transform Rules:

(Send LDAP Attributes as claim ‘LDAP Attribute’ -> ‘Outgoing Claim Type’)

  1. E-Mail-Addresses -> E-Mail Address
  2. User-Principal-Name -> UPN
  3. Token-Groups – Unqualified Names -> Role


Export the token signing certificate

  1. From AD FS 2.0 Console Select Service -> Certificates.
  2. Select the Token-Signing-Certificate and view certificate.
  3. From the Details tab select Copy to File.
  4. Use the Wizard to save the certificate as a DER Encoded binary .CER file.


Prepare details to provide to EPMonDemand


Blog Posted In Blog Posted In: Blog, How to
Blog Posted In Comments Off on Configuring ADFS for Single-Sign-On