Skip to main content
Skip table of contents

Add ADFS authentication to your Scuba instance

Before you start...

Make sure you've spoken with your technical account manager to determine which authentication provider best fits your needs. Your TAM will also give you two pieces of information that you will need before you start: the Sign-On URL and the AppID

Microsoft ADFS Configuration

Now you're ready to set up your ADFS application!

Create a New ADFS Application

  1. Log in to the Windows Domain Controller

  2. Open Start > Administrative Tools > AD FS Management

  3. Click on Trust Relationships > Relying Party Trusts

  4. Click Add Relying Party Trusts

  5. At the Welcome screen, click Start

  6. If there is a certificate, browse it

  7. Leave the "Configure URL" fields empty, and click Next

  8. Under Relying Party Trust Identifiers, you will need to enter two URLs that depend on the DNS of your Scuba instance:

  9. https://< Scuba Instance DNS >/api/metadata

  10. https://< Scuba Instance DNS >/api/metadata/<AppID>

For example, if your Scuba instance is at and your AppID is adfs, you should enter:

Choose not to configure multi-factor authentication, then click Next

10. Select "Permit all users access to this relying party," then click Next

11. Click Next again to complete the application setup process

Add Endpoints

Now you need to add two endpoints to your new ADFS application. 

  1. Double-click on your new ADFS app to show its properties

  2. Click on EndPoints, then click Add

  3. Configure your first endpoint by setting Binding to Artifact, Index to 0, and Trusted URL to the Sign-On URL that your TAM gave you. Click OK to finish. 

  4. Click Add again to add a second endpoint. For this one, set Binding to POST, Index to 1, and Trusted URL to the Sign-On URL.

  5. Click OK until you've closed the Properties for the new Relying Party Trusts

Edit Claim Rules

Now we need to add two claim rules to our application. 

  1. With your new Trust still selected, click Edit Claim Rules

  2. Click Add Rule

  3. The first rule we'll add is a Get-Attribute. Select "Send LDAP Membership as Claim" from the dropdown, then click Next. Next to Claim Rules, fill out the fields based on this screenshot:

  4. Click Finish

  5. Click Add Rule again to add the second rule

  6. Under "Claim Rule Template," select "Transform an incoming claim"

  7. Fill out the information according to this screenshot:

  8. Click Finish

Last Steps...

Please send the link for your Federation Metadata Document to your TAM or to (this link looks something like https://somedns/.../federationmetadata.xml). If you prefer, you can also send us the entire metadata file instead of sending a link to the hosted file.

What's Next

Don't forget to send us your Federation Metadata Document! Once we have that, we can get everything hooked up on our side. We will work with you to plan a time to switch over to the new authentication flow and have someone on your team validate that everything is working properly.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.