The Federation feature must be enabled in your agreement with Access.

For further information, please contact your Account Manager.

Your chosen OpenID Connect Identity Provider must be installed, configured, and publicly accessible via HTTPS.

The installation, configuration, and testing of your Identity Provider is outside the scope of this guide.

This guide outlines configuration steps for AD FS 2016 and Azure AD.

For other Identity Providers, please reach out to us for further instructions.

Open the AD FS Management tool.

Select Application Groups and click on Add Application Group.

Enter Access Identity as the name.

Select Web browser accessing a web application as the template.

Click Next.

Copy the generated Client Identifier (you’ll need this later).

Enter https://identity.accessacloud.com/auth/oidc/callback as the Redirect URI.

Select Add and click Next.

Select Permit everyone as your access control policy.

Click Next, then click Next again.

Click Close.

Select the Application Group you just created, then select Properties.

Select Access Identity – Web application.

Click Edit, then click Issuance Transform Rules.

Select Add Rule.

Verify the claim rule template is set to Send LDAP Attributes as Claims.

Click Next, then set the claim rule name to Email.

Change the Attribute store to Active Directory.

Change the LDAP Attribute to E-Mail-Addresses.

Change the Outgoing Claim Type to E-Mail Address.

Click Finish.

Select the Client Permissions tab, then click email as a permitted scope.

Click OK, then click OK again.

Open the Azure Portal.

Select Azure Active Directory, then click App registrations.

Select New registration.

Enter a name for the application, e.g. Access Identity.

Click Register.

Note the Application (client) ID and Directory (tenant) ID (you’ll need these later).

Select Authentication.

In the Redirect URIs section, add a new redirect URI:

In the Advanced settings section, select ID tokens.

Click Save.