Single Sign On
      Back to home
      1. Help Centre
      2. FAQ for administrators
      3. Single Sign On

      How do I setup Single-Sign-On in desk.ly with ADFS?

      Connect your ADFS to desk.ly using OpenID Connect

      Preparations

      If you use Active Directory Federation Services (ADFS) in your company, you can also use this for authentication with desk.ly. In this case, as with Single Sign On with OpenID, make sure that your account has a subdomain. If this is the case, we can now continue in the "Admin Area" under "Authentication".

      In the authentication settings activate the "Company login (OpenID authentication)". Copy the "Callback URL" from the right side and save it somewhere, we will need it later.

      Configuration in ADFS

      Create application

      Now go to the AD FS Management Console and add a new Application Group. In the dialog box that opens, enter a name for the application and select "Server application accessing a web API" under "Client-Server applications".

      In the next step you copy the displayed "Client Identifier" and store it somewhere. We will need it later as well. Under "Redirect URI" add the URL you copied from the previous step (Preparations).

      Now enable "Generate a shared secret" at "Configuration Application Credentials". Also copy this and put it somewhere.

      In the next step "Configure Web API" add the "Client Identifier" you just copied to "Identifier".

      Now decide in the next step for a suitable "Apply Access Control Policy".

      Now make sure that you check allatclaims, email, openid and profile under "Configure Application Permissions".

      Check all settings again under "Summary" and then complete the setup.

      Configure the application

      Now we need to add some LDAP attributes to make the login in desk.ly work. To do this, select the Application Group you just created and edit the "Web API".

      Click on the "Issuance Transform Rules" tab and add a new rule. Give it a name and select "Active Directory" under "Attribute Store". Now create the following attributes:

      LDAP Attribute Outgoing Claim Type
      User-Principal-Name UPN
      E-Mail-Adresses email
      Surname lastName
      Given-Name givenName

      Configuration in desk.ly

      Now return to the authentication settings in desk.ly and fill in the fields:

      1. Type: Active Directory Federation Services (ADFS)
      2. Discovery URL: [YOUR ADFS URL]/adfs/.well-known/openid-configuration
      3. Client ID: Paste the "Client Identifier" that you copied when you created the application in ADFS.
      4. Client Secret: Insert the secret you copied when you created the application in ADFS.
      5. Audience: microsoft:identityserver:[CLIENT ID]
      6. Response Type: code
      7. Scopes: allatclaims openid profile email