Workplace from Meta is going away. You will be able to continue using Workplace until August 31, 2025. Visit our Help Center to find out more.
English (US)
Log in
මුල් පිටුව
මුල් පිටුව
    Security
    Security is at the heart of everything we do, with world-class infrastructure and features to keep your company safe.
    RESOURCES
    Everything you need to transform the way you work with Workplace.
          Start Using Workplace
          From helpful tutorials to in-depth launch guides and toolkits, get all the resources you need for a quick and easy launch.
          Work Academy
          Discover new ways to use Meta for Work and best practices to help you work smarter.
          Podcasts
          Listen to our Pioneer Podcasts to hear some of our favorite success stories from our biggest champions.
          TECHNICAL RESOURCES CENTER
          Get help with setting up Workplace, managing domains and other technical issues.
          Mastering Workplace Features
          Ready to become a Workplace pro? Learn all the ins-and-outs of our key features with in-depth guides, step-by-step user instructions and resource hubs.
          Technical Resources
          You don't have to be an IT genius to launch Workplace, but if you are then these technical resources are for you.
          Help Center
          Find step-by-step instructions and answers to frequently asked questions.
          Support
          Still can't find what you're looking for? Get in touch with a team of experts for more hands-on support.
          News Archive
          Workplace innovations, feature announcements and product updates.
          Set up Guides
          From adding a domain to inviting users, follow this step-by-step guide to set up your Workplace.
          Domain Management
          Find out why domain management matters - and how to do it properly.
          Workplace Integrations
          Discover how to bring all your tools together. Something missing? Learn how to build your own integrations.
          Account Management
          Keep your Workplace up to date by creating, maintaining or deactivating user accounts.
          Authentication
          Make sure you only give access to the right people by integrating with your current identity solutions.
          IT Configuration
          Learn how to keep Workplace running smoothly with info on networks, email whitelisting and domains.
          Account Lifecycle
          Understand the process of inviting members of your organization to claim their accounts.
          Security and Governance
          Get the lowdown on how we keep your people and information safe on Workplace with added technical terminology.
          Workplace API
          Learn how you can automate and integrate your custom solutions with Workplace using our API.
          Getting started
          From launching Workplace to paying for it, learn more about those crucial first steps.
          Using Workplace
          This is where we reveal the hidden depths Workplace has to offer with tips and info on key features.
          Managing Workplace
          Got a specific question about managing content, data or employees? This is the place to ask it.
          IT and Developer Support
          Looking for answers to more technical questions about security, integration and the like? Start here.
          Support
          Still can't find what you're looking for? Get in touch with a team of experts for more hands-on support.
          Get in touch
          Need help with your Workplace account? Fill out this form to get all the answers you need from our customer support.
          Security
          Resources
          Security
            Start Using Workplace
              Mastering Workplace Features
              Technical Resources
              Work Academy
                Podcasts
                  Help Center
                  Support
                  English (US)
                  Log in

                  Authentication: ADFS Setup

                  Learn about your options for allowing users access to Workplace.

                  Contents

                  Overview

                  Active Directory Federation Services (ADFS) is a Windows Server component that allows organizations to use Single Sign-on (SSO) access with other applications. In this guide, we will detail the setup required within ADFS to successfully integrate your SSO with Workplace.

                  Configure ADFS for SSO with Workplace

                  Prerequisites

                  In order to configure ADFS for Workplace you need to meet the following prerequisites:

                  • Your SSO system uses Windows Server version 2019 or 2016, Active Directory Domain Services (ADDS), and Active Directory Federation Services (ADFS) v4 or v5.
                  • You have been assigned System Admin role in your Workplace instance.
                  • Your Workplace admin user has the exact same email address as your corresponding Active Directory user. If the email addresses are not a case sensitive match, you will not be able to complete this procedure successfully.
                  ?
                  These instructions are also applicable to the configuration of Windows Server version 2012 R2 or 2008 R2 with AD FS v2, but be aware there are some minor differences in the configuration flow. We recommend upgrading to more recent Window Server versions.

                  Gather the parameters needed to configure ADFS

                  Follow the steps below in Workplace to find the parameters you need to configure ADFS.

                  1
                  Go to the Admin Panel and navigate to the Security section.

                  2
                  Navigate to the Authentication tab.

                  3
                  Check the Single sign-on (SSO) checkbox.

                  4
                  Note down the values your Audience URL and Recipient URL, which you will need during the ADFS configuration step.

                  Create the Relying Party Trust in ADFS

                  Before ADFS will allow federated authentication (i.e., SSO) for an external system, you must set up a Relying Party Trust. This configuration identifies the external system along with the specific technology that is used for SSO. This procedure will create a Relying Party Trust that produces SAML 2.0 Assertions for Workplace.

                  1
                  Open the ADFS Management snap-in. Click on Relying Party Trusts and choose Add Relying Party Trust.

                  2
                  Choose the Claims aware radio button. Click Start.

                  3
                  Select Enter data about the relying party manually and click Next.

                  4
                  Set the DisplayName as Workplace. Click Next.

                  5
                  Click Next to skip the optional step of selecting a token signing certificate.

                  6
                  Click the checkbox Enable support for the SAML 2.0 WebSSO protocol. Enter your Workplace Recipient URL you have noted down into the text box Relying party SAML 2.0 SSO service URL and click Next.

                  7
                  Enter your Workplace Audience URL in the text box RelyingPartyTrust Identifier, click Add and then click Next.

                  8
                  Click Next to accept the default Access Control Policy.

                  9
                  Review your settings and click Next to add the Relying Party Trust.

                  10
                  Leave the checkbox selected to open the Edit Claim Rules dialog when the wizard closes and click Close.

                  Create the Claim Rules

                  After a user is authenticated, ADFS claim rules specify the data attributes (and those attributes’ format) that will be sent to Workplace in the SAML Response. Since Workplace requires a Name ID element that contains the user’s email address, this example shows a configuration with two rules:

                  • The first rule extracts the user’s User Principal Name from Active Directory (i.e., the user’s Windows Account Name);
                  • The second rule transforms the User Principal Name into a Name ID with Email format.

                  Prepare to create your claim rules

                  Setup ADFS to create the two claim rules to configure SSO for Workplace.

                  1
                  The window Edit Claim Rules for Workplace should open automatically. If not, you can edit claim rules from the ADFS Management snap-in by selecting the Workplace relying party trust and in the right-hand window choose Edit Claim Rules.

                  2
                  Within the Issuance Transform Rules tab, click Add Rule… to start a new rule.

                  Create the first rule

                  Create the first rule to retrieve email address field from Active Directory when the user is authenticated.

                  1
                  For the Claim Rule template, select Send LDAP Attributes as Claims and click Next to continue.

                  2
                  Set the Claim Rule Name to Get LDAP Attributes. Set the Attribute store to Active Directory. In the first row, set the LDAP Attribute to E-Mail-Addresses and set the Outgoing Claim Type to E-Mail Addresses.

                  3
                  Click Finish to add the rule.

                  Create the second rule

                  Create the second rule to map email address field to Name Id assertion in SAML response.

                  1
                  Click Create Rule… to start a second new rule.

                  2
                  For Claim Rule Template, select Transform an Incoming Claim and click Next to continue.

                  3
                  For Claim Rule Name, enter Transform Email Address. For Incoming Claim Type, select E-Mail Address. For Outgoing Claim Type, select NameID. For Outgoing name ID format, select Email. Finally, Accept the default radio button selection Pass through all claim values and Click Finish to add the rule.

                  4
                  Click Apply to enact the claim rules.

                  Gather ADFS parameters needed to configure Workplace

                  In order to complete the setup we need to retrieve some parameters that have to be configured in Workplace.

                  ?
                  To finish this configuration and have ADFS produce a valid SAML Assertion, you must be able to authenticate to ADFS as the user that has the exact same email address as your Workplace admin (case sensitive).
                  1
                  Open the ADFS Management snap-in.

                  2
                  Navigate to ADFS > Service > Endpoints.

                  3
                  Confirm the URL of your ADFS metadata under the heading Metadata.

                  4
                  From a web browser, open your ADFS metadata file. This location will be something like: https://{your-fully-qualified-active-directory-domain}/FederationMetadata/2007-06/FederationMetadata.xml.

                  5
                  Make a note of your SAML Issuer URL, which is contained in the entityID attribute of the EntityDescriptor element.

                  6
                  You will also need to make a note of your SAML URL, which is contained in the Location attribute of the the AssertionConsumerService element that has Binding type set to urn::oasis::names::tc::SAML:2.0::bindings::HTTP-POST.

                  Convert your certificate into X.509 format

                  Once you've gone through your identity provider's setup:

                  1
                  From the AD FS management console, choose ADFS > Service > Certificates. Right click on your Token-signing certificate and click View Certificate….

                  2
                  Choose the Details tab and click the button Copy to File….

                  3
                  Click Next to start the wizard. Choose Base-64 encoded X.509 (.CER).

                  4
                  Choose a location on the file system to save the exported certificate file.

                  5
                  Click Finish to complete the export.

                  Complete Workplace SSO configuration

                  You will need your SAML URL, SAML Issuer URL and exported certificate file to complete SSO configuration in Workplace. Please follow the guide in the section Configure Workplace for SSO.