Configure SAML on Microsoft ADFS

  • Updated

Benchling supports single sign-on for Active Directory users by integrating with Microsoft Active Directory Federation Services (ADFS). ADFS is a separate service provided by Microsoft that allows users to perform SAML login using Active Directory credentials.

The below instructions assume you have ADFS already set up.

Open the ADFS Management application, select the Relying Party Trusts folder, and select Actions > Add a new Standard Relying Party Trust to open the wizard and create a Relying Party Trust:

  • Select Data Source: Choose "enter data about the relying party manually"

  • Choose Profile: Choose "AD FS profile" (not "AD FS 1.0 and 1.1 profile")

  • Configure Certificate: You do not need to specify a token encryption certificate

  • Configure URL: Choose the SAML 2.0 option and set the SSO service URL to .

  • Configure Identifiers: Set this to .

  • Choose Issuance Authorization Rules: If you'd like all users to be able to access, choose "Permit all users to access this relying party" - otherwise, choose "Deny all users access to this relying part" (later you'll need to create issuance authorization rules to enable access).

At the end of the wizard, you'll be able to check an option to open the "Edit Claim Rules" dialog.

Add a new rule:

  • Choose Rule Type: Send LDAP Attributes as Claims

  • Configure Claim Rule: Give the rule a name, and choose Active Directory for the attribute store. Configure the following mappings: E-Mail-Addresses  as E-Mail Address , Given Name  as firstName , and Surname as lastName .

Add a second rule:

  • Choose Rule Type: Transform an Incoming Claim

  • Configure Claim Rule: For Incoming claim type choose E-Mail Address, for Outgoing claim type choose Name ID, and for Outgoing name ID format choose Email. Make sure Pass through all claim values is selected.

Advanced - identifying via sAMAccountName : the above instructions identify a user based on their email. If user emails can change, you can identify based on their sAMAccountName  instead. This is an identifier within Active Directory that looks like an email but is set for all users. To do this, configure the first rule to also send E-Mail-Addresses  as email , and replace the second rule with a Rule Type of "Send LDAP Attributes as Claims" and send sAMAccount  as the Name  ID instead.

Return to SAML Single Sign-On and continue from Step 2.

Was this article helpful?

Have more questions? Submit a request