Integrating Trusona and Active Directory Federation Services (ADFS)

This guide details the steps required to configure Trusona for your ADFS instance.

This guide assumes that you have experience installing and configuring Windows Server 2016, Active Directory, and Active Directory Federation Services (ADFS) 2016. This document also assumes a new installation of the above.

For more information on installing ADFS, please see the AD FS 2016 Deployment Guide.

Also it’s assumed that you have provided your ADFS Token Signing certificate to Trusona. For more information on ADFS certificates, please see Obtain and Configure Token Signing and Token Decryption Certificates for AD FS.

1. Configuring Claims Provider Trust

1.1. Select Claims Provider Trusts

Select AD FS > Service > Claims Provider Trusts

1.2. Add Claims Provider Trusts

1.3. Import Data About the Claims Provider

Select “Import data about the claims provider published online or on a local network.”

Enter your metadata URL which was provided during the provisioning of your account. For this example we are using where trulab represents the handle used to identify your instance.

For provisioning, contact

1.4. Specify Display Name as “Trusona”

Complete the wizard with the remaining default values. ADFS will configure itself from the metadata document.

1.5. Open PowerShell to Complete Configuration

Configure ADFS to enable the IDP Initiated SAML Flow.

c:> Set-AdfsProperties -EnableIdpInitiatedSignonPage 1

Configure ADFS to send the ConsumerAssertionUrl in the Authn Request. This is required by the Trusona Gateway. The Identifier is always the same and is populated from the metadata document.

c:> Get-AdfsClaimsProviderTrust -Identifier `
'' | `
Set-AdfsClaimsProviderTrust - `
SamlAuthenticationRequestParameters Url

2. Configure ADFS to Resolve Attributes from Active Directory

You may want to configure ADFS to resolve attributes from Active Directory for users authenticating with Trusona. If your upstream SPs require information from Active Directory such as group membership information, you should complete this section below.

Before doing so, ensure the following requirements are met.

  • Your Trusona integration is configured to resolve an email address against a configured set of domains
  • Email addresses are stored in ActiveDirectory in the E-Mail Field

2.1. Edit Claim Rules

In the ADFS Management console, right-click on the Trusona Claim Provider Trust and select Edit Claim Rules

2.2. Create Rule “Pass All Trusona Claims”

Create a new rule using the Send Claims Using a Custom Rule template and title it Pass all Trusona claims

 => issue(claim = c);

2.3. Create Rule “Resolve AD Attributes”

Create a new rule using the Send Claims Using a Custom Rule template and title it Resolve AD attributes

c:[Type ==
at"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
 => issue(store = "Active Directory", types =
""), query = "mail=
{0};userPrincipalName,sAMAccountName,tokenGroups;LAB\adfs_sa", param =

In the query section replace LAB\adfs_sa with the name of your domain. In our example, LAB is the name of our domain. Since we are querying against Active Directory the username needs to be present but there’s no requirement on it being valid or present in Active Directory. This may not be the case if you were querying against a different LDAP store.

This rule does the following:

  1. Gets the Subject Name ID where the format of the Name ID is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from incoming assertion

  2. Issues claims from ActiveDirectory fields userPrincipalName,sAMAccountName,tokenGroups and sets the values on the corresponding types in order.

More information about the ADFS rule syntax is available on The Role of the Claim Rule Language.

ADFS will now populate the following variables upon receiving an assertion from Trusona which can then be used to resolve additional information from other systems or passed on as part of another assertion.

  • Windows account name
  • Groups (All AD groups are nested attribute values)
  • UPN
  • This was tested using the AWS Management Console as the SP as - part of an IDP initiated flow.

For information on configuring AWS IAM and ADFS please see

3. Architecture

Trusona ADFS integration architecture diagram
Trusona ADFS integration architecture diagram


Remote access


Get started guides
Implementation guides
Users guides


Mobile SDKs
Server SDKs
Web SDKs


Authentication Service
ID Proofing Service
Mobile Auth for Browsers Service