This guide details the steps required to configure Keyless to be used as the authentications method for your ADFS instance.

Please complete Integrating Keyless with Active Directory Federation Services before moving on to this guide.

This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (ADFS) 2016 or 2019.

For more information on installing ADFS, please see the ADFS 2016 Deployment Guide.

Step 1: Create Claims Provider Trust

Login to your ADFS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management

Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.

This will open a 4-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.

In the following screen, import data about the claims provider published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://<acme-idp>.keyless.technology/metadata/ where <acme-idp> represents the handle used to identify your instance.

You may now optionally change the Display name for the claims provider, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.

The next step, called “Ready to Add Trust”, is an overview of the configuration from the previous steps. Please take a minute to review the parameters configured.

Step 2: Configure Claim Rules

After completing Step 1 above, you should be able to see the new Claims Provider Trust you’ve just created under the “Claims Provider Trust” folder in your AD FS Management Portal.

Right-click on the Claims Provider Trust you’ve just added, and select “Edit Claim Rules” from the menu.

In this step you will define the rules that will transform the claims sent to the AD FS from Keyless.

Go ahead and define three rules by clicking “Add Rule” in the bottom part of the dialog:

Click "Apply" and "OK" to save your changes.

Please open PowerShell as administrator on your ADFS and enter this command (after replacing <keyless-registration-domain> with the domain provided to you by Keyless):

Set-AdfsRelyingPartyTrust -TargetName <keyless-registration-domain> -ClaimsProviderName @("Active Directory")

Congratulations, you can now use Keyless to authenticate to your ADFS connected applications! 😎

Verifying that ADFS and Keyless IdP is configured

Go to https://<your-adsf-domain>/adfs/ls/idpinitiatedsignon.htm and select the "Sign in to this site" option.

Click on the identity provider associated with Keyless IdP:

Here, provide the username (UPN format) of the test user and click the 'Continue' button.

At this point, the user should receive a push notification to the Keyless Authenticator app on his mobile phone. Once authenticated on the phone, the user should be logged in.