Link your Identity Provider - AD FS
Learn how to integrate your company's Active Directory Federation Services implementation for federated login access into Stax
Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Active Directory Federation Services (AD FS) is Microsoft's SAML identity provider (IdP) that is available with Windows Server from Windows Server 2003 onwards.
Before You Begin
- Estimated time to complete: 1 hour
- You need to be a member of the Admin role in your Stax tenancy to complete this task
- You need permissions to administer the AD FS environment
- While Stax should work with AD FS all the way back to Windows Server 2003, we support running AD FS on Windows Server 2016 and newer
Create the Relying Party Trust in AD FS
Prepare the SAML URIs
First, you'll need to determine some URIs. If you're not sure how to get these, simply raise a case in the Stax Console and we'll help you out.
Your <customer-alias> is the same as you enter at the Stax Console login page shown here. Below, it is mega-corp.

Your <installation-id> can be found by reviewing the URL of the login page after you enter your customer alias, as shown here. It's between your customer alias and staxapp.cloud in the URL. Below, it is au1.

Once you've determined your <customer-alias> and <installation-id>, you can form the URIs required for SAML setup:
URI | Format | Example |
---|---|---|
Entity ID | https://id.security.<customer-alias>.<installation-id>.staxapp.cloud/auth/realms/master | https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master |
SAML 2.0 Service URL | <entity-id>/broker/adfs/endpoint | https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/adfs/endpoint |
Prepare the Active Directory Domain Services (AD) Groups
Stax has three roles; admin, user, and readonly. You can use AD FS to specify these roles at login time. For this purpose, you'll need to create and populate three AD groups.
In the examples below, we'll use the following three group names:
- Stax Admins
- Stax Users
- Stax Read Only Users
See Stax Roles - Stax Permissions for more information on Stax roles.
Configure AD FS
Once you've prepared the URIs and AD Groups, you can configure AD FS.
Connect via Remote Desktop to the Windows Server holding the AD FS "Primary Computer" role. If you're unsure which computer this is, run Windows PowerShell as an administrator and issue the following command:
Get-AdfsFarmInformation | Select-Object -ExpandProperty FarmNodes | Where-Object { $_.NodeType -eq "PrimaryComputer" } | Select-Object FQDN
From the Start menu, open Windows Administrative Tools, then double-click on AD FS Management to open the AD FS console
Within the AD FS console's navigation pane, navigate to AD FS then Relying Party Trusts. In the Actions pane, choose Add Relying Party Trust... to open the Add Relying Party Trust Wizard
Depending on your version of AD FS, you may be prompted to choose whether the application is Claims aware or Non claims aware. Ensure Claims aware is selected and click Start
On the Select Data Source page, choose Enter data about the relying party manually and click Next
On the Specify Display Name page, enter a Display Name for the application that fits your corporate convention. Each Display Name must be unique within your AD FS farm. Enter a description if appropriate and click Next
On the Configure Certificate page, leave the token encryption certificate blank and click Next
On the Configure URL page, check the Enable support for the SAML 2.0 WebSSO protocol box and enter the SAML 2.0 Service URL you determined earlier in the URL text box. Click
NextOn the Configure Identifiers page, add the Entity ID you determined earlier.
Enter this value into the Relying party trust identifier field. Choose Add and then Next
On the Choose Access Control Policy page, choose the appropriate access control policy and any relevant parameters. In the example below, access is restricted so that only members of the Stax Admins, Stax Read Only Users, and Stax Users Active Directory groups can log into Stax. Click Next
On the Ready to Add Trust page, review your settings then click Next. Leave Configure claims issuance policy for this application selected on the Finish page, and click Close. This will add the Relying Party Trust and open the Edit Claim Issuance Policy dialog
On the Edit Claim Issuance Policy dialog, click Add Rule... and add the following claim rules:
Parameter Value 1. Send AD properties as claims Claim rule template Send LDAP Attributes as Claims Claim rule name Send AD Attributes as Claims Attribute Store Active Directory Attribute mapping: LDAP Attribute Outgoing Claim Type E-Mail-Addresses email Given-Name firstName Surname lastName E-Mail-Addresses persistentId 2. Send Stax Admins group membership as a claim Claim rule template Send Group Membership as a Claim Claim rule name Send Stax Role - Admin as Claim User's group CORP\Stax Admins (Your 'Stax Admins' AD Group) Outgoing claim type JumaRole Outgoing claim value customer_admin 3. Send Stax Users group membership as a claim Claim rule template Send Group Membership as a Claim Claim rule name Send Stax Role - User as Claim User's group CORP\Stax Users (Your 'Stax Users' AD Group) Outgoing claim type JumaRole Outgoing claim value customer_user 4. Send Stax Read Only Users group membership as a claim Claim rule template Send Group Membership as a Claim Claim rule name Send Stax Role - Read Only as Claim User's group CORP\Stax Read Only Users (Your 'Stax Read Only Users' AD Group) Outgoing claim type JumaRole Outgoing claim value customer_readonly 5. Send Persistent Name Identifier as a Claim Claim rule template Transform an Incoming Claim Claim rule name Send Persistent Name Identifier Incoming claim type persistentId Outgoing claim type Name ID Outgoing name ID format Persistent Identifier
Configure Stax to allow AD FS Sign-In
When you're ready to have Stax configured, you simply need to supply us with your AD FS metadata, and we'll do the rest for you.
If you're not sure where to find your metadata file, open Windows PowerShell as an administrator on your primary AD FS server and run the following command:
Get-AdfsEndpoint |
Where-Object { $_.Protocol -eq "Federation Metadata " } |
Select-Object FullUrl
Once we've configured SAML on your Stax tenancy, we'll be in touch to let you know that it's ready to be tested.
How Do You Know This Worked?
Next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your AD FS sign-in page. Log in on the AD FS page and you'll be signed into your Stax tenancy.
