Integrating Keyless with Active Directory Federation Services

This guide details the steps required to configure Keyless for your ADFS instance. Integrating Keyless with ADFS is a simple 2-step process that you can get up and running in less than 10 minutes.

This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (ADFS) 2016 or 2019.

For more information on installing ADFS, please see the ADFS 2016 Deployment Guide.

Step 1: Create Relying Party Trust

Login to your ADFS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management

Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.

This will open a 5-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.

In the following screen, import data about the relying party published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using where <contoso-poc> represents the handle used to identify your instance.

For provisioning questions, contact

After inserting the URL, click “Next”.

You may now optionally change the Display name for the relying party, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.

In the next step, you will be required to define the access control policy, this will configure which user and groups will be able to register and use Keyless. After selecting the proper users and groups, click “Next”.

The next step, called “Ready to Add Trust”, is an overview of the configuration from the previous steps. Please take a minute to review the parameters configured and click "Next" when ready.

In the last step, leave the checkbox checked. When done, click “Close” and finish the process of adding the Relying Party Trust.\

Step 2: Configure Claim Issuance Policy

After completing Step 1 above, you should be able to see the new relying party trust you’ve just created under the “Relying Party Trusts” folder in your AD FS Management Portal.

Right-click on the relying party trust you’ve just added, and select “Edit Claim Issuance Policy” from the menu.

In this step you will define the rules that will transform the claims sent to the Keyless relying party.

Go ahead and define two rules by clicking “Add Rule” in the bottom part of the dialog:

Rule 1: Send UPN as Email Address

  • Rule Type: “Send LDAP Attributes as Claims”

  • Rule Name: “Send UPN as email address”

  • LDAP Attribute: User-Principal-Name

  • Outgoing Attribute: E-mail Address

After clicking "Finish" you should see the following rule:

Rule 2: Send UPN as NameID

  • Rule Type: “Send LDAP Attributes as Claims”

  • Rule Name: “Send UPN as NameID”

  • LDAP Attribute: User-Principal-Name

  • Outgoing Attribute: Name ID

After adding these two rules, you should see the following list of rules in the “Issuance Transform Rules” dialog.

Click "Apply" and "OK" to save your changes.

Congratulations, you have successfully integrated Keyless with your ADFS instance! 😎

If you would like to configure Keyless as an MFA method for your ADFS connected applications, go to the next chapter "Authentication".

Last updated