We are upgrading your ProofHQ Support Experience. To Submit a new request navigate to Workfront Help System and sign in with your ProofHQ credentials then click Open a Ticket

Single Sign-On: AD FS Configuration


1. Download AD FS 2.0 to your computer. 
Please note: You will need to be administrator on your AD server
2. Open the downloaded AdfsSetup.exe file to start the ADFS (Active Directory Federation Services) Installation Wizard
3. On the Server Role screen select one of the options (you need at a minimum a Federation Server).
Please note: If you don't wish to expose IIS on your AD server to the internet (ports 80 and 443 for HTTP and HTTPS) you can first set up a Federation Server behind the firewall and then build a second Federation Server Proxy that passes requests through the firewall to the Federation Server.

4. Once you complete the AD FS setup, check the Start the AD FS 2.0 Management snap-in... tick-box and click Finish.
Once this is completed the AD FS 2.0 Management window should open right away. If not, open it from Start > Administrative Tools > AD FS 2.0 Management. This is the main AD FS control application.

5. Begin by clicking AD FS 2.0 Federation Server Configuration Wizard which will help you to configure AD FS and connect it to both the internet via IIS and to AD
6. If you're configuring a new AD FS server select Create a new Federation Service option.
7. Select the Stand-alone federation server option (for testing and evaluation purposes).
Please note: For high availability and load balancing you will want to rather choose the New federation server farm
8. Here you will be asked to specify your Federation Service name. By default the configuration wizard will retrieve the SSL certificate bound to the Default Web Site in IIS and will use the subject name specified there. If you use a wildcard certificate you will need to enter the Federation Service name.
If there is no SSL certificate configured in IIS the configuration wizard will search in the local computer certificate store for any valid certificates. These will be displayed in the SSL certificate drop-down. If there are no certificates found you can use the Server Certificate Generator in IIS to create one.

9. Continue with the configuration and click close once it is complete.
To configure Single Sign-On on the ProofHQ side login to your ProofHQ account and navigate to Account Settings > Single sign-on tab where you will see the configuration options.
Please note: You need to be an Administrator on the account to access the configuration pages
1. SSO URL: Paste your Entity ID in this field, e.g. http://{adfs.your-company.com}/adfs/services/trust. This can be found in your Federation Metadata XML file.


Please note:
Federation Metadata be found in the AD FS 2.0 snap-in > Service > Endpoints folder. In the Metadata section locate the one with the Federation Metadata type. To view metadata you can paste this endpoint in your browser. You can also go to this link directly: https://{adfs.your-company.com}/FederationMetadata/2007-06/FederationMetadata.xml after replacing the {adfs.your-company.com} with your own details.


2. Login URL: Paste your SSO login URL in this field, e.g. http://{adfs.your-company.com}/adfs/ls. This link can be located in the Federation Metadata XML file as well.


3. Logout URL: Enter the link similar to this example https://{adfs.your-company.com}/adfs/ls/?wa=wsignout1.0 in this field and save. Once this is completed:
Please note: This step can be completed after configuring the Relying Party Trust in your AD FS

4. Certificate fingerprint: In this field you need your the data from your certificate. Go to your ADFS 2.0 snap-in navigate to Service > Certificates > Token-signing. Right click on this entry to view certificate.
From the certificate details tab copy the Thumbprint and paste it in the ProofHQ Single Sign-On configuration tab.

Please note: The fingerprint characters can be separated with colons or spaces, but we do recommend removing these.

If you have any troubles with your Single Sign-On configuration please contact us at support@proofhq.com - we'll be happy to help.
Once configuration is complete you will need to work in the Relying Party Trusts section in your AD FS. Navigate to Trust Relationships > Relying Party Trusts folder and click Add a Relying Party Trust. This will start the configuration wizard. 
Select your data source - all metadata for your ProofHQ account is located under a link like this one: 
https://{yoursubdomain}.proofhq.com/saml/module.php/saml/sp/metadata.php/phq
This will automatically configure most of the Relying Party Trust.

NOTE: If you're having any troubles with establishing the connection from the URL, save the metadata as a file and choose to import data from a file
Please note: When you have a full Custom domain (e.g. www.your-proofing.com) configured on your ProofHQ account replace the whole "{yoursubdomain}.proofhq.com" part with your own domain to create your ProofHQ metadata link.

Once your Relying Party Trust configuration is complete you may choose to Open the Edit Claim Rules dialog to complete the set up.
You will want to configure two claim rules for ProofHQ: E-mail and Name ID. To start navigate to ProofHQ Relying Party Trust and select the Edit Claim Rules option (1). The pop-up should automatically open if you selected this option at the end of configuring the trust.

Click on Add Rule (2) to open the claim configuration window.
Please see the details for the Claim Rules below:
  • E-mail (Send LDAP Attributes as Claims rule template)
  • NameID (Transform an Incoming Claim rule template)


Have more questions? Submit a request
Powered by Zendesk