# Microsoft ADFS SSO
Squadcast supports SAML 2.0-based Single **Sign-On** (SSO) login for Microsoft Active Directory users and you can set it for your organization by following this integration guide.
### Pre-requisites
1. Account Owner / Administrator account in Squadcast
{% hint style="info" %}
**Points to Note:**
1\. Only an Administrator / Account owner can enable and configure Microsoft ADFS SSO for an organization in Squadcast.\
\
2\. Once enabled, only the Account owner can use email password-based login by default although it can be configured to enable email-based login for Administrators as well.
{% endhint %}
### Setup Instructions
1. Login to `app.squadcast.com` and navigate to the **Settings** > **Extensions**. Click the **Configure** button under SSO.
2\. In the opened modal, select the **Custom SAML 2.0** tab and click **Show configuration guide for Custom SAML 2.0**.
3\. As given in the displayed guide, copy the **ACS** URL. Then log in to your server and go to `Server Manager`.
4\. Go to `Tools` -> `ADFS Management`
5\. Click on `Add Relying Party Trust`.
6\. Select `Claims Aware` and click `Start`.
7\. Select `Enter data about the relying party manually` and click `Next.`
8\. Enter the `Display name`. Click `Next`.
9\. Select `Configure Certificate` and click `Next`.
10\. Select `Enable Support for the SAML 2.0 Web SSO protocol`. Enter the **ACS** URL you copied from Squadcast. Click `Next`.
11\. Paste the **ACS** URL in `Relying on party trust identifier`. Click `Add`. Then click `Next`.
12\. Select `Access Control Policy`. Click `Next`.
13\. In `Ready to Add Trust`. Click `Next`. Then Click `Close`.
14\. Click `Edit Claim Insurance Policy`.
15\. Click `Add Rule`.
16\. Select `Send LDAP Attributes as Claims`. Click `Next`.
17\. Give a name. Select Attribute Store as `Active Directory`. And map **LDAP attributes** to **Outgoing Claim Type** as shown below. Map `E-Mail-Addresses` to `E-Mail Address`, `Given-Nam``e` to `Given Name` and `Surname` to `Surname` Click `Ok`.
18\. Then Click `Add Rule`. Select `Send Claims using Custom Rule`. Click `Next`.
19\. Give a `Claim rule name`. And enter the following `Custom rule`. Click `Ok`.
```
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
=> issue(Type = "last_name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
```
20\. Repeat the Above step and add two more custom rules. Following are the two rules.
```
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]
=> issue(Type = "first_name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
```
```
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
```
{% hint style="info" %}
**Points to Note:**
Make Sure the user accounts to be used for SSO have the first name, last name and email configured.
{% endhint %}
21\. Click `Apply`.
22\. Again, using the `Edit Claim Rule` wizard, add a rule using the template. `Transform an incoming claim` of type Email Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.
23\. In your **ADFS** management dashboard. Go to `Services->Certificates`. Select `Token Signing Certificate` and Click `View Certificate`. Go to `Details->Copy to Fil``e` and export the Der encoded binary X.509 certificate.
%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(3\).png?alt=media\&token=da92af12-5fea-4a89-b605-f00d25fcf653) %20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(4\).png?alt=media\&token=db2ce8d8-01fa-43ab-82f1-a935d3ba7f78) %20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(5\).png?alt=media\&token=5ec3ef5c-c71a-446a-8438-286a60510e78) %20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(3\).png?alt=media\&token=4d5785e7-3586-4d71-8ac8-e47f2a21cea8) %20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(7\).png?alt=media\&token=dff79fad-c3db-450d-87b9-a98d48bfb649)
24\. Now convert the `.cer` file to a `.pem` file using the following command in Powershell.
```
openssl x509 -inform der -in certificatename.cer -out certificatename.pem
```
25\. Open the .pem file in a text editor. Copy the contents and paste them into Squadcast under `X.509 Certificate`. Then enter the `Saml 2.0` Endpoint as **https\:///adfs/ls**
{% hint style="info" %}
**Note:**
Make sure to add the **Domain Name** of your Organization, for SSO login to work
{% endhint %}
26\. Enable `SSO` and click `Save`.
27\. ADFS SSO is now configured. To test it you can go to **https\:///adfs/ls/idpinitiatedsignon**. Select Your application and sign in with your user account. You will be logged in to Squadcast and a user will be created.
 
*Have any questions?* [*Ask the community*](https://community.squadcast.com/view/home)*.*