top of page

 Before You Begin 

Configure SAML Authentication ​with ADFS

Single Sign On allows you to configure Transit to use your organizations’ existing user directory as an Identity Provider.
Your users will be redirected to your organizations login page and be able to log in with their Active Directory username and password.

Currently Transit supports Single Sign on with Active Directory Federation Services (ADFS) through SAML 2.0. 

To configure SAML integration with ADFS you will need access to the

AD FS Manager application (typically installed on your ADFS Server).

You assign roles to users by mapping AD groups to Transit Roles.

If you want to create groups specifically for assigning roles to your

users you may want to create those groups before configuring SSO.



In this step you define the basic parameters for this authentication source

such as what domain it will serve and what type of SSO server you will be authenticating against.

Provider Name is an arbitrary label
you assign to the source so you can
identify it.

Server Type is where you specify what

type of Single Sign On server you are

authenticating against. In this case

the server type is ADFS.

Email Domain(s) is the list of email

domains that will authenticate

against this source. Any users who

log in from the listed domain(s) will

only be allowed to log in using ADFS.

Sign In Button Label is where you can

customize the text that appears on

the button users will use to log in with

this source. The button label will always be displayed in all capital letters to match the other buttons In the app.

Sign In Button Icon allows you to upload a custom icon for the Sign In Button or to remove an icon altogether.

Sign In Button Preview shows you what the Sign In button will look like on the Sign In page.



Here is where you assign roles to your users by mapping AD groups to Transit roles. When a user logs in; if they are a member of one of the listed groups, they will be granted that role. Users who are not members of any of the listed groups can still log in with AD to receive messages and access shared files but will not have any of the capabilities of a licensed user.

List the Active Directory groups that

contain the users who you want to

have Sender licenses or the

Administrator role by listing those

groups in the appropriate field.

Separate multiple listings with

commas. Spaces are allowed in

group names.

Licensed Users take up a license and

have full access to the application.

Administrators are licensed users who can also access the Administration console in Transit.

IMPORTANT!  Make sure you are a member of at least one group listed for Administrators and that the group name is spelled correctly. It is possible to lock yourself out of the Administration console by misconfiguring Single Sign On.


To complete this step you need to first download a metadata file from your Identity Provider that contains the information that Transit needs to start authenticating users against that source.

Typically this file is downloaded from your ADFS Server via a url such as:


Once you download that file simply upload it here.


You need to complete all the steps 1 through 3 before continuing.
Once Applied you can download.


This step needs to be performed in the AD FS Manager application for your Active Directory Federation Services.
The Relying Party Trust establishes the Trust relationship between ADFS and Transit as well as which ADFS properties are available to the Transit application.

The instructions linked to in this step will walk you through the steps that need to be performed in ADFS.

  1. Open the AD FS Management Console and click on Add Relying Party Trust from the Action Menu on the right.

  2. Leave Claims Aware selected and click on START.

  3. Select Import data about the Relying Party Trust and upload the metadata file from step 4.


  4. Specify a Display Name and add any Notes such as a description for this rule and then hit NEXT.

  5. For Choose Access Control Policy accept the defaults and click NEXT.

  6. For Ready to Add Trust accept the defaults and click NEXT.

  7. Under Finish leave Configure Claims Issuance Policy and click FINISH.

  8. In the Edit Claims Issuance Policy screen click Add Rule

  9. In the Select Rule Template screen make sure Send LDAP Attributes as Claims is selected.


  10. In the Edit Rule screen give this rule a name and make sure the Attribute Store is set to Active Directory. Then assign LDAP Mappings as shown:

    • User-Principal-Name <-> Name ID

    • E-Mail-Addresses <-> E-Mail Address

    • Given-Name <-> Given Name

    • Surname <-> Surname

    • Token-Groups – Unqualified Names <-> Role


It is a good idea to test your source before continuing. The Test Source button will take you to your Organizations ADFS Login page. Once you log in it will tell you if the login succeeded or failed and will provide diagnostic information in either case.


The final step is to publish this Provider. Once published it will show on the Transit login page and be available for your users to authenticate against.

NOTE:  While unpublished you can still configure and test the source but it will not be available to users for authentication

saml sso-step-05-adfs-01-1_edited.jpg
saml sso-step-05-adfs-09_edited.jpg
bottom of page