---
title: "ADFS with OpenID SSO"
slug: "adfs-with-openid-sso"
description: "Set up Single Sign-On between Document360 and ADFS using OpenID with our step-by-step guide for seamless user access and security."
updated: 2026-06-03T11:19:19Z
published: 2026-06-03T11:19:19Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.document360.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ADFS with OpenID SSO

Before setting up Single Sign-On (SSO) between Document360 and ADFS using the OpenID protocol, ensure you have administrative access to both Document360 and the ADFS server. Please note that only users with **Owner** or **Admin**as **Project role** can configure SSO in Document360.

> [!TIP]
> ** PRO TIP
> 
> It is recommended to open **Document360**and **ADFS**in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

## Adding an Application in ADFS

You'll need to create a new OpenID application in ADFS:

1. Log in to the ADFS Management console on your ADFS server.
2. In the **ADFS Management** console, navigate to **Relying Party Trusts**.
3. Right-click **Relying Party Trusts** and select **Add Relying Party Trust**.
4. In the **Add Relying Party Trust Wizard**, choose **Claims aware** and click **Start**.
5. Select **Enter data about the relying party manually** and click **Next**.
6. Provide a display name (e.g., "Document360 OpenID SSO") and click **Next**.
7. In the **Configure Certificate** step, click **Next** (you can skip this if not using a certificate).

## Document360 Service Provider (SP) Configuration

Next, you will need to configure ADFS with the Service Provider (SP) details provided by Document360:

1. Open Document360 in a separate tab or panel.
2. Navigate to **Settings**>**Users & permissions > SSO Configuration** in Document360.
3. Click the **Create SSO** button.

![Settings page displaying SSO configuration options and user permissions for identity providers.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/create sso(7).png)

1. Select **ADFS**as your identity provider to automatically navigate to the **Configure the Service Provider (SP)** page.

![Select an Identity Provider for SSO configuration, highlighting ADFS option prominently.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/okta eu(7).png)

1. In the **Configure the Service Provider (SP)**, select the **OpenID** radio button.
2. A set of parameters will be displayed, which are needed to configure with IdP.

![Configuration settings for OpenID in the Service Provider setup for SSO.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/sp(8).png)
3. Switch to the **ADFS Management console tab/panel** and enter these values into the corresponding fields in the **Configure URL** step as shown below.

| ADFS | Document360 |
| --- | --- |
| Relying Party Identifier | Subdomain name |
| Sign-On URL | Sign in redirect URL |
| Sign-Out URL | Sign out redirect URL |

1. Click **Next** and complete the remaining steps in the wizard, such as setting up multi-factor authentication if required and permitting all users to access the application.
2. Review your settings and click **Next** to add the relying party trust.
3. On the final screen, check the box for **Open the Edit Claim Rules dialog** and click **Close**.

## Configuring Claim Rules

1. In the **Edit Claim Rules** dialog, click **Add Rule**.
2. Select **Send LDAP Attributes as Claims** as the rule template and click **Next**.
3. Provide a name for the claim rule (e.g., "Send LDAP Attributes").
4. Configure the following:
  - **Attribute Store**: Select **Active Directory**.
  - **Mapping**:
    - **LDAP Attribute**: User-Principal-Name | **Outgoing Claim Type**: Name ID
    - **LDAP Attribute**: E-Mail-Addresses | **Outgoing Claim Type**: Email
    - **LDAP Attribute**: Display-Name | **Outgoing Claim Type**: Name
5. Click **Finish** to add the rule.
6. Click **Apply** to save your changes and close the dialog.

## Document360 OpenID SSO Configuration

Now, configure the SSO settings in Document360:

1. Return to the Document360 tab/panel displaying the **Configure the Service Provider (SP)** page and click **Next** to navigate to the **Configure the Identity Provider (IdP)** page.
2. Enter the corresponding values from your ADFS configuration onto Document360 as shown below.

| **ADFS** | **Document360** |
| --- | --- |
| Client Identifier (Client ID) | Client ID |
| Client Secret | Client Secret |
| Issuer URL | Authority (Authorization URL or Endpoint) |

1. Ensure that the **Client Identifier** matches the **Relying Party Identifier** configured in ADFS.
2. In the **Scope**(optional) field, type a scope value and click **+** to add it as a chip. This defines what user information or permissions Document360 requests from your identity provider.

You can add up to 3 scopes.

![](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/adfs(2).png)

1. Click **Next** to proceed to the **SCIM provisioning** page.

### SCIM provisioning

If SCIM is needed,

1. Turn on the **Enable SCIM provisioning** toggle.

![Instructions for enabling SCIM provisioning in Document360 for user synchronization.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/enable scim(1).png)

1. A confirmation dialog will appear outlining the terms for enabling SCIM. Review the terms, select the checkbox, and click **Agree**.
2. The parameters required to complete the SCIM configuration in ADFS will then be displayed.

> [!NOTE]
> ******NOTE
> 
> SCIM provisioning in ADFS can be enabled using third-party tools or custom-built integrations only. ADFS does not natively support SCIM provisioning.

1. Enter the required parameters from Document360 into the corresponding fields in your custom app.

![Configuration settings for SCIM provisioning and identity provider setup in a web interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/enable group sync(1).png)

#### Assign Default role

1. In the**Default role** field, the role is set to **Contributor**by default. You can change this from the dropdown if needed.
2. In the**User groups** and **Reader groups** fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.
3. Click **Next**to navigate to the **More Settings** page.

### More Settings

In the **More settings** page, configure the following:

- **SSO name**: Enter a name for the SSO configuration.
- **Customize login button**: Enter the text for the login button displayed to users.
- **Auto assign reader group:**This option is only available for existing SSO configurations. For newly created SSO configurations, the Auto assign reader group toggle will not be displayed as SCIM automatically provisions users and groups.
- **Sign out idle SSO user**: Toggle on/off based on your requirements.
- Choose whether to invite existing user and reader accounts to SSO.

![Settings for creating a new SSO, including name and login button customization options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/more settings(7).png)

Click **Create** to complete the OpenID SSO configuration.

The **SSO configuration based on the OpenID**protocol has been configured using **ADFS**successfully.

---

## Managing Users in ADFS

![Overview of reader management settings, highlighting user accounts and permissions synchronization.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/readers.png)

To view the readers added through your custom app,

1. Go to Document360 and navigate to **Settings**> **Users & permissions** > **Readers & groups**.
2. Select the reader to navigate to their reader profile.

Readers provisioned via SCIM will display an**SSO-SCIM** badge next to their name.

> [!NOTE]
> ******NOTE
> 
> When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync. You can
> 
> only manage the content access from Document360. Deleting a profile in your IdP does not remove it from Document360, the profile will remain with an Inactive status.

#### Manage content access of Readers, Users and Groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to **None**by default but can be updated at any time.

1. To manage content access, select the desired reader and click **Manage Content Access**.
2. Choose the desired access level from the dropdown and click **Update**.

![Editing reader account settings, including content access and associated groups options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/manage.png)

---

## Troubleshooting

### SSO Login Fails with HTTP ERROR 500

**Error:** During SSO login using Azure AD (Microsoft ADFS OpenID), the following error appears:

> “This page is not working at the moment – [identity.document360.io](http://identity.document360.io) can’t currently handle this request (HTTP ERROR 500)”

Error page displayed during SSO authentication showing an HTTP ERROR 500 message.

**Cause**

This issue occurs when the client secret configured for the Azure AD (Microsoft ADFS) SSO application has expired. As a result, the token endpoint returns a `401 Unauthorized` response during the authentication process.

**Steps to resolve**

1. Sign in to the Azure portal.
2. Navigate to **Microsoft Entra ID** > **App registrations**.
3. Open the SSO application using the configured **Client ID**.
4. Go to **Certificates & secrets**.
5. Under **Client secrets**, click **New client secret**.
6. Enter a description and select the required expiry duration.
7. Click **Add**.
8. Copy the **Secret Value** immediately.

> Do not copy the **Secret ID**, as the secret value is displayed only once.
9. In Document360, navigate to the SSO / IdP configuration.
10. Replace the existing client secret with the newly generated secret value.
11. Save the changes.
12. Test the SSO login again to confirm the issue is resolved.