SSO AuthenticationSAML 2.0
AD FS
Configure Active Directory Federation Services (AD FS) as a SAML 2.0 identity provider for Safeguard.
AD FS
- On the AD FS server, open AD FS Management → Relying Party Trusts → Add Relying Party Trust → Claims aware, and enter data manually.
- Set the Relying party trust identifier to the SP Entity ID Safeguard shows after Save (this is the Entity ID).
- Enable SAML 2.0 WebSSO and set its URL to the ACS URL Safeguard shows after Save.
- Add an Issuance Transform Rule mapping
E-Mail-Addressesto the Name ID outgoing claim, format Email. - Add a second Issuance Transform Rule mapping
E-Mail-Addressesto an outgoing claim type named exactlyemail— AD FS's default claim types are full URIs, not this short name, and Safeguard needs the literalemailattribute separate from the Name ID rule. - Export the token-signing certificate under Service → Certificates, and note the SAML 2.0/WS-Federation endpoint under Endpoints (or the federation metadata URL).
- In Safeguard, click Add Provider → SAML 2.0 → AD FS, and enter the endpoint, Entity ID, and certificate.
- Grant access under the relying party trust's Access Control Policy.
- Click Test in Safeguard to confirm.
Common errors: an "MSIS7042: claims required by relying party trust were not present" error means the Issuance Transform Rule mapping E-Mail-Addresses → Name ID is missing, or the signed-in AD account has no email attribute set.