Configuring SSO between Samanage and ADFS

Document created by Joseph Brown Employee on Jan 24, 2017Last modified by Josh Mills on Apr 18, 2018
Version 3Show Document
  • View in full screen mode

In order to setup SSO (Single Sign On) between Samanage and your ADFS (Active Directory Federation Services) server, the following configuration procedure should be followed:


In Samanage:

Enter your Identify Provide URL. For ADFS see screenshot below, and make sure you have the correct certificate:


If you wish your users to always login via Active Directory SSO - please check the box before ‘Redirect to the saml login page when logging into Samanage by default’ (at the bottom of the screenshot above).


In your ADFS server:


  1. Set relying party to The relying party’s federation metadata url is:

  2. Define your endpoints:  and

  3. If you set the CNAME in Samanage, e.g. also add this as an endpoint.

  4. Add a claims rule: We need to receive the request with NameID and the NameID format should be email. So you need to set ‘Outgoing claim type’ NameID and ‘Outgoing name ID format’ Email, see screenshot



In some organizations, the above instructions may not work. This is what you have to do to get it to work when  "AD FS 1.x E-Mail Address" is selected for "Incoming Claim Type":

  • Open AD FS Management Console
  • Go to "Trust Relationships"
  • Go to "Relying Party Trust"
  • Highlight the Rule you have created for Samanage
  • Click "Edit Claim Rules"
  • Click "Add Rule"
  • Select "Send LDAP Attributes as Claims"
  • Name the rule whatever you wish
  • Select the "Active Directory" attribute store
  • For the LDAP Attribute select "E-Mail Addresses"
  • For the Outgoing Claim Type select "AD FS 1.x E-Mail Address"
  • Click Ok
  • Click Apply
  • Click Ok


If you ever have the issue of Single Sign On working in Internet Explorer but not in Firefox, Chrome, or another browser then this may be the fix.


Try the following fix on the ADFS server using Powershell (Ran as Administrator)

  1. Disable Extended Protection in ADFS 3.0
    1. Set-ADFSProperties –ExtendedProtectionTokenCheck None
  2. Enable Chrome as a valid User Agent for NTLM authentication
    1. Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0′′, “MSIE 7.0′′, “MSIE 8.0′′, “MSIE 9.0′′, “MSIE 10.0′′, “Trident/7.0′′, “MSIPC”, “Windows Rights Management Client”, "Mozilla/5.0")



NOTE: If you are using Azure, see this setup document: Tutorial: Azure Active Directory integration with Samanage | Microsoft Docs