Integration
Integrating Keyless with Active Directory Federation Services
This guide details the steps required to configure Keyless for your ADFS instance. Integrating Keyless with ADFS is a simple 2-step process that you can get up and running in less than 10 minutes.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (ADFS) 2016 or 2019.
For more information on installing ADFS, please see the ADFS 2016 Deployment Guide.

Step 1: Create Relying Party Trust

Login to your ADFS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Windows Server Manager Dashboard.
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
Add a Relying Party Trust
This will open a 5-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
Select "Claims aware" type party.
In the following screen, import data about the relying party published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://contoso-poc-registration.keyless.technology/metadata/ where <contoso-poc> represents the handle used to identify your instance.
For provisioning questions, contact [email protected]io
After inserting the URL, click “Next”.
Enter the federation metadata address.
You may now optionally change the Display name for the relying party, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
Add an optional display name and note.
In the next step, you will be required to define the access control policy, this will configure which user and groups will be able to register and use Keyless. After selecting the proper users and groups, click “Next”.
Define the Keyless access policy for your organization.
The next step, called “Ready to Add Trust”, is an overview of the configuration from the previous steps. Please take a minute to review the parameters configured and click "Next" when ready.
Review your configurations.
In the last step, leave the checkbox checked. When done, click “Close” and finish the process of adding the Relying Party Trust.
Finish and close the dialoge.

Step 2: Configure Claim Issuance Policy

After completing Step 1 above, you should be able to see the new relying party trust you’ve just created under the “Relying Party Trusts” folder in your AD FS Management Portal.
Right-click on the relying party trust you’ve just added, and select “Edit Claim Issuance Policy” from the menu.
Edit Claim Issuance Policy for the Keyless relying party.
In this step you will define the rules that will transform the claims sent to the Keyless relying party.
Go ahead and define two rules by clicking “Add Rule” in the bottom part of the dialog:
Rule 1: Send UPN as Email Address
  • Rule Type: “Send LDAP Attributes as Claims”
  • Rule Name: “Send UPN as email address”
  • LDAP Attribute: User-Principal-Name
  • Outgoing Attribute: E-mail Address
Choose rule template.
Define the mapping between UPN and email address.
After clicking "Finish" you should see the following rule:
Rule 2: Send UPN as NameID
  • Rule Type: “Send LDAP Attributes as Claims”
  • Rule Name: “Send UPN as NameID”
  • LDAP Attribute: User-Principal-Name
  • Outgoing Attribute: Name ID
Define the mapping between the UPN and the Name ID
After adding these two rules, you should see the following list of rules in the “Issuance Transform Rules” dialog.
Summary of rules.
Click "Apply" and "OK" to save your changes.

Congratulations, you have successfully integrated Keyless with your ADFS instance! 😎

If you would like to configure Keyless as an MFA method for your ADFS connected applications, go to the next chapter "Authentication".