Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

AD FS

Configure Active Directory Federation Services (AD FS) as a SAML 2.0 identity provider for Safeguard.

AD FS

  1. On the AD FS server, open AD FS Management → Relying Party Trusts → Add Relying Party Trust → Claims aware, and enter data manually.
  2. Set the Relying party trust identifier to the SP Entity ID Safeguard shows after Save (this is the Entity ID).
  3. Enable SAML 2.0 WebSSO and set its URL to the ACS URL Safeguard shows after Save.
  4. Add an Issuance Transform Rule mapping E-Mail-Addresses to the Name ID outgoing claim, format Email.
  5. Add a second Issuance Transform Rule mapping E-Mail-Addresses to an outgoing claim type named exactly email — AD FS's default claim types are full URIs, not this short name, and Safeguard needs the literal email attribute separate from the Name ID rule.
  6. Export the token-signing certificate under Service → Certificates, and note the SAML 2.0/WS-Federation endpoint under Endpoints (or the federation metadata URL).
  7. In Safeguard, click Add Provider → SAML 2.0 → AD FS, and enter the endpoint, Entity ID, and certificate.
  8. Grant access under the relying party trust's Access Control Policy.
  9. Click Test in Safeguard to confirm.

Common errors: an "MSIS7042: claims required by relying party trust were not present" error means the Issuance Transform Rule mapping E-Mail-Addresses → Name ID is missing, or the signed-in AD account has no email attribute set.

On this page