Configuring Single Sign-on (SSO) with Active Directory Federation Services (ADFS): for Brightflag Customers (Clients)


Brightflag integrates with several Single Sign-on (SSO) tools. If you are considering setting up SSO for Brightflag with Active Directory Federation Services (ADFS), your company’s dedicated Brightflag Implementation Manager or Customer Success Manager can guide you through this. 



  • You have set up an ADFS instance, where all users have an email address attribute and the email address is the same as their company account.
  • You have fully installed and configured ADFS.
  • You know your ‘SAML 2.0/W-Federation’ URL (found in ADFS Endpoints). If your IT team used the defaults for the installation, this will be ‘/adfs’. (This is also known as 
  • the Remote Login URL for your SAML server and sometimes called SAML Single Sign-On URL).


To add a relying party trust:

  1. Log in to the ADFS Server.
  2. Launch the ADFS Management Console.
  3. On the left-hand tree view, right-click Relying Party Trusts and select Add Relying Party Trust.
  4. Select the Relying Party Trusts folder from ADFS Management and click on Add Relying Party Trust from the Actions sidebar on the right.
    1. adfs_1.png
  5. On the Select Data Source screen, click Enter data about the relying party manually and click Next.
  6. Provide information for each screen in the Add Relying Party Trust wizard.
    1. On the Specify Display Name screen, enter a Display Name of your choosing and any notes (e.g. Brightflag SSO). 
    2. Select ADFS profile and click Next.
    3. Skip the Configure Certificate screen by clicking Next.
    4. On the Configure URL, select the box labelled Enable Support for the SAML 2.0 WebSSO protocol
      1. The URL will be: https://{region_prefix}  (note that there's no trailing slash at the end of the URL).
      2. Depending on where you are located, we have different configurations per region.
        • Domain:
        • Region_Prefix: app
        • Domain:
        • Region_Prefix: enterprise
        • Domain:
        • Region_Prefix: aus
    5. In the Configure Identifiers screen, enter the Relying Party Trust Identifier (also known as the Identity Provider Issuer URL) as  https://{region_prefix} Then click Add.
    6. Skip the Configure Multi-factor Authentication screen (unless you want to configure this) by clicking Next.
    7. In the Choose Issuance Authorization Rules screen, select the option Permit all users to access this relying party
      1. adfs_2.png
  7. On the Ready to Add Trust screen, review your settings and then click Next.
  8. On the final screen, make sure the checkbox labeled: “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” is selected and click Finish
    1. adfs_3.png

To create claim rules:

After you create the relying party trust, you can create the claim rules and make minor changes that aren't set by the wizard.

  1. If the claim rules editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.
  2. In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.
  3. Create the following rule:
    1. Enter a descriptive rule name 
    2. LDAP Attribute: E-Mail-Addresses 
    3. Outgoing Claim Type: E-Mail Address
    4. Pass through all claim values (the default)
    5. Attribute Store: Active Directory
  4. Click OK.
    1. adfs_4.png
  5. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
  6. On the next screen, create another rule:
    1. Enter a descriptive rule name
    2. Incoming Claim Type: E-Mail Address
    3. Outgoing Claim Type: Name ID
    4. Outgoing Name ID Format: Email
    5. Pass through all claim values (the default)
      1. adfs_5.png
  7. Finally, click OK to create the claim rule, and then OK again to finish creating rules.
  8. You should now have two LDAP attribute rules set up:

LDAP Attribute

Outgoing Claim Type


E-Mail Address

E-Mail Address

Name ID


To send Federation Metadata XML Export:

Once the above settings have been configured, we require you to send us your federation metadata so we can configure our end. 

  1. In the ADFS Management Console, browse to Service > Endpoints > Metadata > Type: Federation Metadata to find your federation metadata URL. 
  2. Look for the metadata URL.
  3. Export the metadata file. This file includes your SSO setting information such as the SSO server, protocols supported, and the public key.
  4. Send this to Brightflag.
  5. Once we have configured Brightflag’s end, we will agree on a date for when this will be activated
Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Have more questions?
Submit a request
Share it, if you like it.