This guide walks you through integrating Active Directory Federation Services (ADFS) Single Sign-On with Axya using SAML 2.0. Once configured, your users can log in to Axya using their existing Active Directory credentials.
Send the following information to Axya's security team at security@axya.co:
| Information | Description |
|---|---|
| User domain name | The email domain used for SSO (e.g., user@yourcompany.com) |
| Federation Metadata URL | Your ADFS Federation Metadata endpoint (preferred), typically https://adfs.yourcompany.com/FederationMetadata/2007-06/FederationMetadata.xml |
| ADFS SSO URL | The SAML 2.0 Single Sign-On endpoint (if metadata URL is not available) |
| Token-Signing Certificate | The ADFS token-signing certificate (if metadata URL is not available) |
| Test account | A test user with valid Active Directory credentials for Axya to validate the SSO flow |
On-premise consideration: ADFS is typically hosted on-premise. For the SSO integration to work, Axya must be able to reach your ADFS endpoints over the internet. If your ADFS server is not publicly accessible, you will need to use an ADFS Proxy (Web Application Proxy) or ensure the appropriate firewall rules are in place. Discuss this with your network team and with security@axya.co before proceeding.
After adding the Relying Party Trust, you must configure claim rules to send user attributes to Axya.
In ADFS Management, right-click the Axya Relying Party Trust and select Edit Claim Issuance Policy (or Edit Claim Rules on older ADFS versions).
Click Add Rule.
Select the template Send LDAP Attributes as Claims and click Next.
Enter a rule name (e.g., "Send User Attributes to Axya").
Set Attribute store to Active Directory.
Add the following LDAP attribute mappings:
| LDAP Attribute | Outgoing Claim Type |
|---|---|
| E-Mail-Addresses | E-Mail Address |
| Given-Name | Given Name |
| Surname | Surname |
Click Finish.
Click Add Rule again.
Select the template Transform an Incoming Claim and click Next.
Enter a rule name (e.g., "Transform Email to Name ID").
Set:
Select Pass through all claim values.
Click Finish, then OK to close the claim rules dialog.
Because ADFS is typically on-premise, ensure that the following endpoints are accessible from the internet:
https://adfs.yourcompany.com/FederationMetadata/2007-06/FederationMetadata.xmlhttps://adfs.yourcompany.com/adfs/ls/If these endpoints are not publicly accessible, configure a Web Application Proxy (WAP) or equivalent reverse proxy to publish them. Contact your network or infrastructure team for assistance.
Firewall rules: At minimum, HTTPS (port 443) must be open for inbound traffic to your ADFS proxy or WAP server from the internet.
Email the following to security@axya.co:
The Axya security team will configure the SSO connection and provide the ACS URL, Entity ID, or metadata URL if not already shared.
"Relying party trust not found" or "Unknown relying party" error
The Relying Party Trust for Axya may not be configured correctly, or the Entity ID does not match. Verify the Relying party trust identifier matches the Entity ID provided by Axya.
Claim rules not sending expected attributes
Users may see authentication errors if the Name ID or email claim is missing. Open the Axya Relying Party Trust, edit the claim issuance policy, and verify that the LDAP attribute mappings and the Name ID transform rule are configured as described in Step 2.
ADFS endpoints not reachable from the internet
If Axya cannot reach your ADFS server, the SSO flow will fail. Verify that your Web Application Proxy or firewall rules allow inbound HTTPS traffic to the ADFS endpoints. Test accessibility by loading your Federation Metadata URL from an external network.
Token-signing certificate expired or rotated
ADFS auto-rotates token-signing certificates by default. If SSO stops working unexpectedly, check if the certificate has been rotated. Send the new certificate (or confirm the Federation Metadata URL is still accessible) to security@axya.co so Axya can update the configuration.
Note: This guide covers the general ADFS SSO setup. Configuration steps may vary depending on your ADFS version (ADFS 3.0, 4.0, or 5.0) and Windows Server version. Refer to the official Microsoft ADFS documentation for the most current instructions.
For assistance, contact the Axya security team at security@axya.co.