# Microsoft ADFS SSO Squadcast supports SAML 2.0-based Single **Sign-On** (SSO) login for Microsoft Active Directory users and you can set it for your organization by following this integration guide. ### Pre-requisites 1. Account Owner / Administrator account in Squadcast {% hint style="info" %} **Points to Note:** 1\. Only an Administrator / Account owner can enable and configure Microsoft ADFS SSO for an organization in Squadcast.\ \ 2\. Once enabled, only the Account owner can use email password-based login by default although it can be configured to enable email-based login for Administrators as well. {% endhint %} ### Setup Instructions 1. Login to `app.squadcast.com` and navigate to the **Settings** > **Extensions**. Click the **Configure** button under SSO. ![](/files/wUaf2IfEd3ylidqSneDl) 2\. In the opened modal, select the **Custom SAML 2.0** tab and click **Show configuration guide for Custom SAML 2.0**. ![](/files/wxQbH7LLJxqmcMYQB2XE) 3\. As given in the displayed guide, copy the **ACS** URL. Then log in to your server and go to `Server Manager`. ![](/files/DkpWlVJSznhczXDBezrs) 4\. Go to `Tools` -> `ADFS Management` ![](/files/M6yfClDO07fMFCbpKqtJ) 5\. Click on `Add Relying Party Trust`. ![](/files/SIncGlxIQrDuUpv4WDJK) 6\. Select `Claims Aware` and click `Start`. 7\. Select `Enter data about the relying party manually` and click `Next.` ![](/files/x870lHDweWh2FeQgwA1G) 8\. Enter the `Display name`. Click `Next`. ![](/files/NZpQUgLtS1FE2lD4eX26) 9\. Select `Configure Certificate` and click `Next`. ![](/files/zxLDa5NV2QGSa2bGwriy) 10\. Select `Enable Support for the SAML 2.0 Web SSO protocol`. Enter the **ACS** URL you copied from Squadcast. Click `Next`. ![](/files/N89ArSMzoMxNo50HMCXw) 11\. Paste the **ACS** URL in `Relying on party trust identifier`. Click `Add`. Then click `Next`. ![](/files/vC1z2Bwvgk5hW1biukPW) 12\. Select `Access Control Policy`. Click `Next`. ![](/files/VfQD8h6A35p9RpxjeJUF) 13\. In `Ready to Add Trust`. Click `Next`. Then Click `Close`. ![](/files/Gi6HLw4yK4QRZT9Ns0fi) 14\. Click `Edit Claim Insurance Policy`. ![](/files/vN5wybiyYPdxoBflmoi6) 15\. Click `Add Rule`. 16\. Select `Send LDAP Attributes as Claims`. Click `Next`. 17\. Give a name. Select Attribute Store as `Active Directory`. And map **LDAP attributes** to **Outgoing Claim Type** as shown below. Map `E-Mail-Addresses` to `E-Mail Address`, `Given-Nam``e` to `Given Name` and `Surname` to `Surname` Click `Ok`. ![](/files/iVjzMUlmHUQ51vP8ROQ0) 18\. Then Click `Add Rule`. Select `Send Claims using Custom Rule`. Click `Next`. 19\. Give a `Claim rule name`. And enter the following `Custom rule`. Click `Ok`. ![](/files/RjBAM5ir9OGdrrF3n053) ``` c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"] => issue(Type = "last_name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); ``` 20\. Repeat the Above step and add two more custom rules. Following are the two rules. ![](/files/43nFtCwn9hhcQliHiqh0) ``` c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"] => issue(Type = "first_name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); ``` ![](/files/5KcgyjiNyWE3YxrpdCD7) ``` c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType); ``` {% hint style="info" %} **Points to Note:** Make Sure the user accounts to be used for SSO have the first name, last name and email configured. {% endhint %} 21\. Click `Apply`. 22\. Again, using the `Edit Claim Rule` wizard, add a rule using the template. `Transform an incoming claim` of type Email Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values. ![](/files/g9qzobcO5D3EJbd0b3wu) 23\. In your **ADFS** management dashboard. Go to `Services->Certificates`. Select `Token Signing Certificate` and Click `View Certificate`. Go to `Details->Copy to Fil``e` and export the Der encoded binary X.509 certificate. ![](/files/R9jUth94swUZ14U0SGFx) ![](/files/vDmyx5GiWT4D633XINRk) ![](/files/mIwlsXRtkyurgDSRQJGl) ![](/files/foVxJlxYKy2XI4PQfRh0) ![](/files/OMdBVjJC7S1hiEQYPZPg) 24\. Now convert the `.cer` file to a `.pem` file using the following command in Powershell. ``` openssl x509 -inform der -in certificatename.cer -out certificatename.pem ``` 25\. Open the .pem file in a text editor. Copy the contents and paste them into Squadcast under `X.509 Certificate`. Then enter the `Saml 2.0` Endpoint as **https\:///adfs/ls** {% hint style="info" %} **Note:** Make sure to add the **Domain Name** of your Organization, for SSO login to work {% endhint %} ![](/files/qiP2Dod6ePYbWKvbM0Ah) 26\. Enable `SSO` and click `Save`. 27\. ADFS SSO is now configured. To test it you can go to **https\:///adfs/ls/idpinitiatedsignon**. Select Your application and sign in with your user account. You will be logged in to Squadcast and a user will be created. ![](/files/RT4444xfcT54TMsN5onP) ![](/files/DtK5tEXO5Hs0XwLuiQzu) *Have any questions?* [*Ask the community*](https://community.squadcast.com/view/home)*.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.squadcast.com/single-sign-on-sso/microsoft-adfs-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.