Configure Single Sign-On using WS-Federation

Complete the steps in the following procedure to configure Single Sign-On (SSO) using the WS-Federation protocol on the Single Sign On page in the Security module of the Enterprise Admin Console. also supports Security Assertion Markup Language (SAML) and OpenId Connect protocols. For more information, see Using Single Sign-On.

  1. In the Security module on the Single Sign On page in the Enterprise Admin Console, click Enable SSO.
  2. In the Select suitable Sign-On Protocol section, select WS-Federation.
  3. In the Configure SSO for WS-Federation section:
    1. On the Scope tab, select one of:
      • All < My Domain Name > users
      • Only managed My Domain Name > users. For more information about managed  users, see Working with Managed Users.
    2. On the Configure tab, select an identity provider, and then define the settings for:

      1. Windows Azure®
        • Azure AD Sign-On End Point URL - The URL that the Messaging Platform sends sign on and sign off requests using Azure. The response for the authentication is sent to the Reply URL defined in your Azure Active Directory configuration settings.
        • Azure AD Federation Metadata Document - The URL for the federation metadata document used for authentication with Azure Active Directory.
      2. Other - Generic WS-Federation identity provider configuration. Select this option if you are not using Windows Azure.
        • AD Sign-On End Point URL - The URL that Messaging Platform sends sign on and sign off requests using your WS-Federation identity provider.
        • AD Federation Metadata Document URL - The URL for the WS-Federation metadata document used for authentication with Active Directory.
        • In the administrative console for your Single Sign-On provider, you will also need to define the URLs that are used to exchange data between the Messaging Platform and your SSO provider. While the URL names may vary by SSO provider, you will need to define these URLs:

          • Assertion Consumer Service (ACS) URL or Callback URL as In addition to authentication values, you must pass the email address of the user as an LDAP attribute from Active Directory when using ADFS. For more information, see Attributes for ADFS.
          • Identity URL or Sign On URL as
  4. Click Save.

The Identity Provider information successfully updated message is displayed at the top of the page. The following illustration shows the Single Sign On page with WS-Federation sign-on protocol selected: