> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to connect your application to Active Directory Federation Services (ADFS) using enterprise connections.

# Connect Your App to ADFS

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

To connect your application to Microsoft's Active Directory Federation Services (ADFS), you will need to provide the following information to your ADFS administrator:

* Realm Identifier: `urn:auth0:{yourTenant}`
* Endpoint: `https://{yourDomain}/login/callback` or `https://<YOUR CUSTOM DOMAIN>/login/callback`, if you are using a [custom domain](/docs/customize/custom-domains).

<Card title="Federated metadata">
  The Federation Metadata file contains information about the ADFS server's certificates. If the Federation Metadata endpoint (`/FederationMetadata/2007-06/FederationMetadata.xml`) is enabled in ADFS, Auth0 can periodically (once a day) look for changes in the configuration, like a new signing certificate added to prepare for a rollover. Because of this, enabling the Federation Metadata endpoint is preferred to providing a standalone metadata file. If you provide a standalone metadata file, we will notify you via email when the certificates are close to their expiration date.
</Card>

You can use a script to to setup the connection or set it up manually.

## Scripted setup

Run the following two commands in the Windows PowerShell window.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  You must run this script as an administrator of your system.
</Callout>

```powershell wrap lines theme={null}
(new-object Net.WebClient -property @{Encoding = [Text.Encoding]::UTF8}).DownloadString("https://raw.github.com/auth0/adfs-auth0/master/adfs.ps1") | iex
```

export const codeExample1 = `AddRelyingParty "urn:auth0:{yourTenant}" "https://{yourDomain}/login/callback"`;

<AuthCodeBlock children={codeExample1} language="powershell" />

For automated integration, this script uses the [ADFS PowerShell SnapIn](http://technet.microsoft.com/en-us/library/adfs2-powershell-basics.aspx) to create and configure a **<Tooltip tip="Relying Party: Entity (such as a service or application) that depends on a third-party identity provider to authenticate a user." cta="View Glossary" href="/docs/glossary?term=Relying+Party">Relying Party</Tooltip>** that will issue, for the authenticated user, the following claims: **email**, **upn**, **given name**, and **surname**.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If you are using the [custom domains](/docs/customize/custom-domains) feature, you will need to replace the `$webAppEndpoint` value with `https://<YOUR CUSTOM DOMAIN>/login/callback`.
</Callout>

The script creates the Relying Party Trust on ADFS, as follows:

export const codeExample2 = `$realm = "urn:auth0:{yourTenant}";
$webAppEndpoint = "https://{yourDomain}/login/callback";
Add-PSSnapin Microsoft.Adfs.Powershell
Add-ADFSRelyingPartyTrust -Name $realm -Identifier $realm -WSFedEndpoint $webAppEndpoint
$rp = Get-ADFSRelyingPartyTrust -Name $realm`;

<AuthCodeBlock children={codeExample2} language="powershell" />

The script also creates rules to output the most common attributes, such as email, UPN, given name, or surname:

```powershell lines theme={null}
$rules = @'
@RuleName = "Store: ActiveDirectory -> Mail (ldap attribute: mail), Name (ldap attribute: displayName), Name ID (ldap attribute: userPrincipalName), GivenName (ldap attribute: givenName), Surname (ldap attribute: sn)"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
    types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
             "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query = ";mail,displayName,userPrincipalName,givenName,sn;{0}", param = c.Value);
'@
Set-ADFSRelyingPartyTrust –TargetName $realm -IssuanceTransformRules $rules
$rSet = New-ADFSClaimRuleSet –ClaimRule '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
Set-ADFSRelyingPartyTrust –TargetName $realm –IssuanceAuthorizationRules $rSet.ClaimRulesString
```

## Manual setup part 1: Add a Relying Party Trust

1. Open the ADFS Management Console.
2. On the right side of the console, click **Add Relying Party Trust**\*
3. Click **Start**.
4. Select **Enter data about the relying party manually**, and click **Next**.
5. Type a name (such as `{yourAppName}`), and click **Next**.
6. Use the default (`ADFS 2.0 profile`), and click **Next**.
7. Use the default (`no encryption certificate`), and click **Next**.
8. Check **Enable support for the WS-Federation...**, and type this value in the textbox:
   `https://{yourDomain}/login/callback`,or if you are using a [custom domain](/docs/customize/custom-domains), use `https://<YOUR CUSTOM DOMAIN>/login/callback`
9. Click **Next**.
10. Add a Relying Party Trust identifier with this value:
    `urn:auth0:{yourTenant}`
11. Click **Add**, and then **Next**.
12. Leave the default `Permit all users...`, and click **Next**.
13. Click **Next**, and then **Close**.

## Manual setup part 2: Add a claim issuance policy rule

1. If you're using Windows Server 2019, the Edit Claim Issuance Policy dialog box automatically opens when you finish the Add Relying Party Trust wizard. If you're using Windows 2012 or 2016, follow these steps:

| In Windows Server 2012                                                                                                                                  | In Windows Server 2016                                                                                                                                                                                     |
| ------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| In the Actions panel on the right side of the console, find the Relying Party Trust you just created. Beneath it, click **Edit Claim Issuance Policy**. | In the console tree, under ADFS, click **Relying Party Trusts**. On the right side of the console, find the Relying Party Trust you just created. Right-click it and click **Edit Claim Issuance Policy**. |

2. In the Edit Claim Issuance Policy Window, under Issuance Transform Rules, click **Add Rule...**.
3. Leave the default `Send LDAP Attributes as Claims`.
4. Give the rule a name that describes what it does.
5. Under Attribute Store, select **Active Directory**.
6. Select these mappings under `Mapping of LDAP attributes to outgoing claim types`, and click **Finish**.

| LDAP Attribute      | Outgoing Claim Type |
| ------------------- | ------------------- |
| E-Mail-Addresses    | E-Mail Address      |
| Display-Name        | Name                |
| User-Principal-Name | Name ID             |
| Given-Name          | Given Name          |
| Surname             | Surname             |

### Add additional LDAP attributes

The mappings in the previous steps are the most commonly used, but if you need additional LDAP attributes with information about the user, you can add more claim mappings.

1. If you closed the window on the previous step, select **Edit Claim Rules** on the context menu for the Relying Party Trust you created, and edit the rule.
2. Create an additional row for every LDAP attribute you need, choosing the attribute name in the left column and desired claim type in the right column.
3. If the claim type you are looking for doesn't exist, you have two options:

   1. Type a [namespace-qualified name](/docs/secure/tokens/json-web-tokens/create-custom-claims) for the new claim (for example, `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department`).
   2. Register a new claim type (under **ADFS > Services > Claim Descriptions** on the ADFS admin console), and use the claim name in the mapping.
      Auth0 uses the name part of the claim type (for example `department` in `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department`) as the attribute name for the user profile.

## Next Steps

Now that you have a working connection, the next step is to configure your application to use it. You can follow our step-by-step quickstarts or use our libraries and API.

* [Get started with our Quickstarts](/docs/quickstarts)
* [Configure your application using our Lock login form](/docs/libraries/lock)
* [Configure your application using the Auth0.js library and your own UI](/docs/libraries/auth0js)
* [Use our Authentication API to authenticate](https://auth0.com/docs/api/authentication)