---
title: "Configuring Microsoft AD FS On-Premise SSO with OpenID Connect"
slug: "configuring-microsoft-ad-fs-on-premise-sso-with-openid-connect"
updated: 2025-06-22T21:08:48Z
published: 2025-06-22T21:08:48Z
canonical: "documentation.encodify.com/configuring-microsoft-ad-fs-on-premise-sso-with-openid-connect"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.encodify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring Microsoft AD FS On-Premise SSO with OpenID Connect

## Overview

---

This article provides step-by-step guidance on how to configure **Microsoft Active Directory Federation Services (AD FS)** for Encodify **using OpenID Connect (OIDC)**.

## Configuring OpenID Connect for Encodify via Microsoft AD FS (On-Premise)

---

### Step 1: Start IdP Configuration in Encodify

1. Navigate to: **Site Configuration → Identity Providers and Users → Identity Providers**.
2. Click **Add New IdP**.
3. Fill in the fields as follows:
  - **Name ID**: Use only English letters without spaces. This will be part of the URL.
  - **Display Name for Login Page**: This will be shown on the login button.
  - **Authentication Method**: Select **OpenID Connect**.
  - **Email Domains (optional)**: Specify allowed domains (e.g. `encode.dk, microsoft.com`).
4. Click **Next** to proceed to Step 2

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20923816720669.png)

### Step 2: Link to a Login URL

1. Link your IdP configuration to an existing **Login URL** and **Login Page**, or create new ones.
  - Each IdP can be linked to only one Login URL.
2. Click **Next** to proceed to Step 3.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/image-1750615556332.png)

### Step 3: Copy Callback URL and Authorisation Base URL

1. Copy the **Callback URL**and the **Authorisation Base URL** shown in Encodify. You'll use these values when creating the server application in AD FS.
  1. Example Callback URL: `/login/oauth2/code/adfsoidc`
  2. Example Authorisation Base URL: `/oauth2/authorization/adfsoidc`

### Step 4: Create OAuth Credentials in Microsoft AD FS Server

> [!WARNING]
> **Important**: Minimum version supporting Open ID: Windows Server 2016.

#### Create a Server Application

1. Open the **AD FS Management Console**.
2. Create a new **Application Group**.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20923816713373.png)

1. Select **Server application** under Standalone Applications.
2. Enter a name for your app integration.
3. Copy the **Client Identifier**.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20923816719005.png)

1. For **Redirect URI**, paste the **Callback URL** from Encodify.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20924324745373.png)

1. Check **Generate a shared secret** and copy it.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20924359328669.png)

1. Click **Next** to complete setup.

#### Add Web API Application

1. Open the created Application Group and click **Add Application → Web API**.
2. Set an identifier:
  - Use your AD FS Server App **Client ID** and any internal identifier like the Jira/Confluence base URL.
3. Click **Next**.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20928112142621.png)

1. For **Access Control Policy**, select **Permit Everyone**.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20928112144797.png)

1. On **Configure Application Permissions**, select scopes:
  - `allatclaims`
  - `email`
  - `openid`
2. Click **Next** and complete the wizard.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20928112147869.png)

#### Set LDAP Attributes as Claims

1. Re-open the **Web API** entry under your Application Group.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20928407258141.png)

1. Go to **Issuance Transform Rules → Add Rule**.

**![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20928391946909.png)**

1. Choose **Send LDAP Attributes as Claims**.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20928407260957.png)

1. Map as follows:

| LDAP Attribute | Outgoing Claim Type |
| --- | --- |
| E-Mail-Addresses | E-Mail Address |
| Display-Name | Name |
| Department | Role |
| Token-Groups - Unqualified Names | Group |

1. Finish the configuration.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/21008073677469.png)

### Step 5: Complete IdP Configuration in Encodify

1. Select the**OpenID Connect Type**
  - Choose **Microsoft Active Directory Federation Services (MS ADFS)** from the dropdown.
2. Choose one of the following setup options:

#### Option A: Auto-fetch Configuration via URL

1. In the **OpenID Connect Config URL** field, enter:

```plaintext
rubyCopyEdithttps://adfs.encode.dk/adfs/.well-known/openid-configuration
```
2. Press **Enter**. The following fields will auto-populate:
  - **OpenID Connect JWK URI**
  - **OAuth2 Authorization URL**
  - **OAuth2 Access Token URL**

#### Option B: Manual Configuration

1. Clear the **OpenID Connect Config URL** field.
2. Enter the following values manually:

| **Field** | **Value** |
| --- | --- |
| OpenID Connect JWK URI | `https://adfs.encode.dk/adfs/discovery/keys` |
| OAuth2 Authorization URL | `https://adfs.encode.dk/adfs/oauth2/authorize/` |
| OAuth2 Access Token URL | `https://adfs.encode.dk/adfs/oauth2/token/` |
| OAuth2 Client ID | `03f0e403-9943-4339-ad5f-56a8a9abccc8` |
| OAuth2 Client Secret | *Paste the shared secret from AD FS* |
| OAuth2 Scope | `email, openid, allatclaims` |
| External User ID Attribute | `email` |
3. Map additional attributes:

> [!WARNING]
> **Note**: AD FS claims may differ from configured claim rule names.

| **AD FS Token Claim** | **Encodify Attribute** |
| --- | --- |
| `unique_name` | `Name` |
| `email` | `Email` |

1. Click **Next** to continue with additional setup steps such as assigning access rights, default groups, etc.

![ADFS.png](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/22774570920093.png)

### Step 6: Attribute and Group Mapping (Optional)

1. You can optionally map token claims from Okta to:
  - **Encodify Access Rights**
  - **User Groups**
2. If you're not mapping from token attributes, continue with default settings.

### Step 8: Default User Groups

1. Define default groups to assign on first login.
2. Click **Next**.

### Step 9: Welcome Message & First Login Email

1. Optionally enable a **Welcome Email** and **First Login Message**.
2. Click **Save IdP** to complete the setup.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/image-1750615026946.png)

### Logging In via Microsoft AD FS OIDC

If AD FS is the only authentication method linked to the Login URL, users are redirected directly. If multiple methods exist, users will see a button (e.g. **Sign in with ADFS OIDC**). Upon first login, users will be auto-provisioned in Encodify with configured roles and attributes.

![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/20928590098205.png)