Skip to content

Configuring Microsoft AD FS integration with TLS Protect Cloud

If AD FS is your SSO solution, this topic shows you how to integrate AD FS with TLS Protect Cloud.

You can integrate TLS Protect Cloud with AD FS to enable single sign-on (SSO) for user identities with which AD FS can proxy.


Because you'll be making changes in both Microsoft AD FS Management console and TLS Protect Cloud, you'll complete the configuration faster if you open both applications side-by-side before proceeding.

To set up this integration, you'll need to

  1. Configure Microsoft AD FS and TLS Protect Cloud to work together
  2. Edit the application group to add a rule
  3. Test the connection between TLS Protect Cloud and AD FS

Step 1: Configuring AD FS and TLS Protect Cloud

  1. In AD FS Management, right-click Application Groups and click Add Application Group.
  2. In the Application Group Wizard, type a name, such as Venafi,
  3. Under Client-Server applications, select the Server application accessing a web API template, and then click Next.
  4. Log in to TLS Protect Cloud and click Settings > Platform.
  5. From the Single Sign On tab, click copy button next to Redirect URL to copy the URL, and then back in the AD FS wizard, paste it into the Redirect URI field, and then click Add.
  6. Click Next and on the Configure Application Credentials page of the wizard, select Generate a shared secret, click Copy to clipboard.
  7. In TLS Protect Cloud, paste it into Client Secret, and then click Save.

    This is an application password that is used by TLS Protect Cloud to authenticate to your SSO solution.


    Make sure you remember to click Save in TLS Protect Cloud after pasting in the client secret. If you forget, the connection will fail.

  8. Back in AD FS Management, click Next.

  9. On the Configure Web API screen, copy the Client Identifier from where you saved it during an earlier step (or, copy it again from the first step of the wizard [Server Application screen]), paste it into Identifier, and then click Add.
  10. Click Next.
  11. On the Apply Access Control Policy screen, select your required policy and click Next.
  12. On the Configure Application Permissions screen, make sure openid and allatclaims are selected, and then click Next.
  13. On the Summary screen, click Next, and then on the Complete screen, click Close.

Step 2: Edit the application group to add a rule

Now, edit the application group to add a rule.

  1. In AD FS Management, open your new application group to edit it.
  2. Under Applications, open the properties page of your new Web API, and then click the Issuance Transform Rules tab.
  3. Click Add Rule.
  4. From the Claim Rule Template list, select Send LDAP Attributes as Claims, and then click Next.
  5. On the Configure Claim Rule screen, type a name for your rule, and then select Active Directory from the Attribute Store list.
  6. Now map LDAP attributes to outgoing claim types:

    • E-Mail Addresses to E-Mail Address
    • Surname to Surname
    • Given-Name to Given Name


    Your user email and first and last name must be set correctly in Active Directory.

  7. Click Finish, then click Apply, and close the Application Group properties.

Step 3: Testing the connection between TLS Protect Cloud and AD FS

  1. Sign in to Venafi Control Plane.
  2. Click Settings > Single Sign-On.

  3. From the TLS Protect Cloud's Single Sign-On page, click Test Connection.

  4. When prompted by AD FS, type your enterprise credentials.

    When the authentication succeeds, you're redirected back to the TLS Protect Cloud SSO Configuration page. From there, you can view the claims that were returned in the OIDC token issued by AD FS.

  5. Save your SSO configuration.