Documentation Index

Fetch the complete documentation index at: https://docs.document360.com/llms.txt

Use this file to discover all available pages before exploring further.

SAML SSO with ADFS

  • Updated on Jun 18, 2026
  • Published on Jun 3, 2026
  • 7 minute(s) read
Prev Next

Active Directory Federation Services (ADFS) is Microsoft's on-premises identity provider that enables federated identity and single sign-on across applications. With SAML SSO configured between ADFS and Document360, your team members and readers can sign in to Document360 using their existing Active Directory credentials.

NOTE

Only users with the Owner or Admin project role can configure SSO in Document360.

What you can do with ADFS as your IdP

Capability Supported
Team member (portal) authentication Yes
Reader (knowledge base site) authentication Yes
IdP-initiated sign-in Yes
SCIM provisioning Yes (via third-party tools or custom integrations only)
SSO configuration inheritance (parent-child projects) Yes

NOTE

ADFS does not natively support SCIM provisioning. SCIM can only be enabled using third-party tools or custom-built integrations.

Before you begin

  • You have administrative access to both Document360 and your ADFS server.
  • You have Owner or Admin access in your Document360 project.
  • Open Document360 and ADFS in two separate browser tabs. You will need to switch between them multiple times during setup.

Step 1: Create a Relying Party Trust in ADFS

Add the application in ADFS

  1. Log in to the ADFS Management console on your ADFS server.
  2. In the ADFS Management console, navigate to Relying Party Trusts.
  3. Right-click Relying Party Trusts and select Add Relying Party Trust.
  4. In the Add Relying Party Trust Wizard, choose Claims aware and click Start.
  5. Select Enter data about the relying party manually and click Next.
  6. Provide a display name (for example, "Document360 SAML SSO") and click Next.
  7. In the Configure Certificate step, click Next (you can skip this if not using a certificate).
  8. Under Configure URL, select Enable support for the SAML 2.0 Web SSO protocol.

Step 2: Configure ADFS with Document360 Service Provider parameters

Get the SP parameters from Document360

  1. Open Document360 in a separate tab.
  2. Navigate to Settings () > Users & permissions > SSO Configuration.
  3. Click Create SSO.
Settings page showing SSO configuration options and user permissions for identity providers.
  1. Select ADFS as your Identity Provider (IdP) to navigate to the Configure the Service Provider (SP) page automatically.
Select an Identity Provider for SSO configuration, highlighting ADFS option prominently.
  1. On the Configure the Service Provider (SP) page, select the SAML radio button as the protocol.
  2. A set of parameters will be displayed to complete the SAML configuration in ADFS.
Configuration settings for SSO using SAML and ADFS management overview.

Enter the Document360 parameters in ADFS

Enter the Document360 parameters into the corresponding fields in the Configure URL and Identifiers steps in ADFS using the mapping below.

ADFS Document360
Relying Party Identifier Service provider entity ID
Sign-On URL Callback path
Sign-Out URL Signed out callback path
Relying Party Trust Identifier Subdomain name
Metadata URL Metadata path
  1. Click Next and complete the remaining steps in the wizard, such as setting up multi-factor authentication if required, and permitting all users to access the application.
  2. Review your settings and click Next to add the relying party trust.
  3. On the final screen, check the box for Open the Edit Claim Rules dialog and click Close.

Step 3: Configure claim rules in ADFS

Add claim rules

  1. In the Edit Claim Rules dialog, click Add Rule.
  2. Select Send LDAP Attributes as Claims as the rule template and click Next.
  3. Provide a name for the claim rule (for example, "Send LDAP Attributes").
  4. Configure the following:
    • Attribute Store: Select Active Directory.
    • Mapping:
      • LDAP Attribute: User-Principal-Name | Outgoing Claim Type: Name ID
      • LDAP Attribute: E-Mail-Addresses | Outgoing Claim Type: Email-Addresses
      • LDAP Attribute: Display-Name | Outgoing Claim Type: Name
  5. Click Finish to add the rule.
  6. Click Apply to save your changes and close the dialog.

Step 4: Complete the SSO configuration in Document360

Configure the Identity Provider in Document360

  1. Return to the Document360 tab displaying the Configure the Service Provider (SP) page and click Next to navigate to the Configure the Identity Provider (IdP) page.
Configuration settings for Single Sign-On with highlighted fields for user input.
  1. The Configure an existing connection field allows you to inherit an SSO configuration that already has SCIM enabled from a parent project. By selecting this option, the current SSO configuration becomes the child and automatically inherits the SCIM settings from the parent project.
  2. Enter the corresponding values from your ADFS configuration using the mapping below.
ADFS Document360
SAML Sign-On URL Identity Provider Single Sign-On URL
Identifier (Entity ID) Identity Provider Issuer
X.509 Certificate SAML Certificate
  1. Download the X.509 Certificate from ADFS and upload it to the SAML Certificate field in Document360.

NOTE

When exporting the X.509 certificate from ADFS, select Base-64 encoded (.CER) format. The default DER encoded format is not supported for Document360 SAML configuration.

  1. Toggle the Allow IdP initiated sign in option on or off based on your project needs.
  2. Click Next to proceed to the SCIM provisioning page.

Step 5: Configure SCIM provisioning

SCIM provisioning allows you to automate user and reader lifecycle management between ADFS and Document360. Since ADFS does not natively support SCIM, this requires a third-party tool or a custom-built integration.

If you do not need SCIM provisioning, skip to Step 6: More settings.

Enable SCIM in Document360

  1. Turn on the Enable SCIM provisioning toggle.
Instructions for enabling SCIM provisioning in Document360 for user synchronization.
  1. A confirmation dialog appears. Review the terms, select the checkbox, and click Agree.
  2. The parameters required to complete the SCIM configuration will then be displayed.

NOTE

SCIM provisioning in ADFS can be enabled using third-party tools or custom-built integrations only. ADFS does not natively support SCIM provisioning.

  1. Enter the required parameters from Document360 into the corresponding fields in your custom app.
Configuration settings for SCIM provisioning and identity provider setup in a web interface.

Assign default role and groups in Document360

  1. In the Default role field, the role is set to Contributor by default. You can change this from the dropdown if needed.
  2. In the User groups and Reader groups fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.
  3. Click Next to navigate to the More settings page.

Step 6: More settings

Configure SSO name and login options

  1. In the SSO name field, enter a name for the SSO configuration.
  2. In Customize login button, enter the text for the login button displayed to users.
  3. Auto assign reader group — this option is only available for existing SSO configurations. For newly created SSO configurations, this toggle will not be displayed as SCIM automatically provisions users and groups. Learn more about Auto assign reader group.
  4. Enable Sign out idle SSO user if needed, and toggle based on your requirements.
Settings for creating a new SSO, including name and login button customization options.
  1. Click Create to complete the SAML SSO configuration.

Managing users in ADFS

To view readers added through your ADFS integration:

Overview of reader management settings, highlighting user accounts and permissions synchronization.
  1. In Document360, navigate to Settings () > Users & permissions > Readers & groups.
  2. Select the reader to navigate to their reader profile.

Readers provisioned via SCIM will display an SSO-SCIM badge next to their name.

NOTE

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync. You can only manage content access from Document360. Deleting a profile in your IdP does not remove it from Document360 — the profile will remain with an Inactive status.

Manage content access of readers, users, and groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to None by default but can be updated at any time.

  1. Select the desired reader and click Manage Content Access.
  2. Choose the desired access level from the dropdown and click Update.
Editing reader account settings, including content access and associated groups options.

NOTE

You can also manage groups for a reader by clicking Manage groups under the Reader Group section.

Best practices

  • Export the certificate in Base-64 encoded (.CER) format. The default DER encoded format from ADFS is not supported by Document360. Always select Base-64 encoding when exporting the X.509 certificate.
  • Use a third-party tool for SCIM. ADFS does not natively support SCIM provisioning. Plan your user provisioning approach before enabling SCIM in Document360.
  • Configure claim rules carefully. Ensure all three LDAP attribute mappings (Name ID, Email-Addresses, and Name) are configured correctly. Missing or incorrect claims will cause authentication failures.
  • Test with a single user first. Before rolling out SSO to all users, test the configuration with one user to verify that claim rules, certificates, and URLs are all working correctly.

FAQ

Why is SCIM not natively supported in ADFS?

ADFS is an on-premises federation service built on SAML and WS-Federation protocols. It does not include a built-in SCIM endpoint. To use SCIM with ADFS in Document360, you need a third-party provisioning tool or a custom integration that bridges ADFS with the SCIM protocol.

What certificate format does Document360 require for ADFS?

Document360 requires the X.509 certificate in Base-64 encoded (.CER) format. When exporting from ADFS, make sure to select this format. The default DER encoded format is not supported.

What happens to a user's profile in Document360 if I delete them in ADFS?

Deleting a user profile in your IdP does not remove it from Document360. The profile will remain in Document360 with an Inactive status.

Related articles