> For the complete documentation index, see [llms.txt](https://docs.xibosignage.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.xibosignage.com/cms-configuration-and-integration/saml-as-an-authentication-provider/saml-single-signon-with-active-directory-adfs.md).

# SAML Single Sign on with Active Directory - ADFS

* Firstly, install the ADFS role on your server.

You will need a valid SSL certificate for the URL you intend to publish your IdP on. In this example, I’m publishing an IdP at `https://fs.test.alexharrington.co.uk`. This IdP won’t exist by the time this article is published. Similarly, your Xibo CMS will need to be hosted on a server protected by a valid SSL certificate.

Once the IdP is installed, ensure you can access the IdP webpage at the URL you have configured from both your Xibo CMS Server, and from the Client computers that your users will use to authenticate against.

{% hint style="info" %}
Visiting, for example, `https://fs.test.alexharrington.co.uk/adfs/ls/` should bring up a webpage served by ADFS with an error. That’s normal. We’re just checking connectivity here.
{% endhint %}

First we need to export the signing certificate from ADFS.

* Open the ADFS console, go to `Service > Certificates` and find the `Token-signing` certificate.

![ADFS Console](/files/SOoi358KZ8gN64AtKYEW)

* Right click on it, and choose `View Certificate`.
* Move to the `Details` tab, and click `Copy to File`...:

![Certificate Details](/files/FgmGvUPfq87tgc87Z8qv)

* Choose `Base-64 encoded X.509` format, and save the file somewhere convenient:

![Certificate Export](/files/EwnXaIVvplqhgmbssitv)

* Now on your Xibo CMS, edit your `settings.php` or `settings-custom.php` file, and add in the example SAML configuration below:

```
$authentication = new \Xibo\Middleware\SAMLAuthentication();

$samlSettings = array (
   'workflow' => array(
        // Enable/Disable Just-In-Time provisioning
        'jit' => true,
        // Attribute to identify the user 
        'field_to_identify' => 'email',   // Alternatives: UserID, UserName or email
        // Default libraryQuota assigned to the created user by JIT
        'libraryQuota' => 1000,
        // Initial User Group
        'group' => 'Users',
        // Home Page
        'homePage' => 'icondashboard.view',
        // Enable/Disable Single Logout
        'slo' => false,
        // Attribute mapping between XIBO-CMS and the IdP
        'mapping' => array (
            'UserID' => '',
            'usertypeid' => '',
            'UserName' => 'uid',
            'email' => 'mail',
        )
    ),
   // Settings for the PHP-SAML toolkit. 
   // See documentation: https://github.com/onelogin/php-saml#settings 
   'strict' => false,
   'debug' => true,
   'idp' => array (
            'entityId' => 'https://<yourcms>/saml/acs',
            'singleSignOnService' => array (
                'url' => 'https://<yourIdP>/adfs/ls',
            ),
            'singleLogoutService' => array (
                'url' => 'http://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php',
            ),
            'x509cert' => '<yourCert>',
        ),
   'sp' => array (
        'entityId' => 'https://<yourCMS>/saml/acs',
        'assertionConsumerService' => array (
            'url' => 'https://<yourCMS>/saml/acs',
        ),
        'singleLogoutService' => array (
            'url' => 'https://<yourCMS>/saml/sls',
        ),
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'x509cert' => '',
        'privateKey' > '',
    ),
    'security' => array (
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => false,
        'logoutRequestSigned' => false,
        'logoutResponseSigned' => false,
        'signMetadata' => false,
        'wantMessagesSigned' => false,
        'wantAssertionsSigned' => false,
        'wantAssertionsEncrypted' => false,
        'wantNameIdEncrypted' => false,
    )
);
```

Be sure to replace:

* `<yourIdP>` with the URL of your ADFS server
* `<yourCMS>` with the URL of your Xibo CMS
* `<yourCert>` with the text contents of the certificate you exported from ADFS, all on one line, excluding the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines

{% hint style="warning" %}
**Please note:** `homePage` => `icondashboard.view` needs to be replaced if you are using a CMS earlier than v3.x:

Earlier than v3.x - replace `icondashboard.view` with `icondashboard`

Earlier than v2.0.3 - replace `icondashboard.view` with `dashboard`
{% endhint %}

**Save** the file, and now your CMS will redirect to your SAML IdP when you go to login.

* Back in the ADFS console, go to `Trust Relationships -> Relaying Party Trusts`
* Select `Add Relaying Party Trust` to start the Wizard.
* At the `Select Data Source` step, enter the SAML metadata URL for your CMS - so for example `https://<yourCMS/saml/metadata`

![Data Source](/files/h5HFORx8q0XQRhmFOJjK)

There are various advanced options presented, most of which are out of the scope of this guide. Please select the options you require. In my case, I choose `I do not want to configure multi-factor authentication settings for this relaying party trust at this time` and `Permit all users to access this relaying party` when prompted.

Finally a summary is presented:

![Advanced Options](/files/1nIYkpuPP3iQxoZWvdrb)

Leave the box ticked to `Edit Claim Rules` and finish the wizard.

We need to add three claim rules.

* Click `Add Rule`, and choose `Send Claims Using a Custom Rule`:

![Claim Rule](/files/ehvxPCfLKMIjiUwdfCOT)

* Name the rule `Create Persistent Identifier 1`, and enter the following custom rule:

```
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => add(store = "_OpaqueIdStore", types = ("http://xibo/internal/persistentId"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);
```

* Add a second rule, and choose the type `Transform an Incoming Claim`. Call this rule `Create Persistent Identifier 2`, and configure as follows:

![Edit Rule](/files/aIg329kJkFDQrBWY5dQJ)

* Finally add a third rule, of type `Send LDAP Attributes as Claims`. Name it `User Info`, and set it up as follows:

![User Info](/files/iApG9t2HW7JMCw0h7zYE)

You should now be able to log in to your Xibo CMS as any user inside Active Directory.

{% hint style="warning" %}
Please ensure all users have a valid email address set on their Active Directory User account. Users will be created in Xibo using the Active Directory SAM-Account-Name as the username, and E-Mail address from the E-Mail Addresses field.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.xibosignage.com/cms-configuration-and-integration/saml-as-an-authentication-provider/saml-single-signon-with-active-directory-adfs.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
