It's better when it's simple

User Tools

Site Tools


adfs Plugin

Compatible with DokuWiki


plugin Provides user authentication against Active Directory Federation Service via SAML 2.0

Last updated on

Similar to authad

Tagged with ad, adfs, saml, sso

This plugin has been tested with ADFS and SimpleSAMLphp. It should work with other SAML2 compatible Identity Providers.


A CosmoCode Plugin

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin. Refer to Plugins on how to install plugins manually.

Setup ADFS with SAML 2.0

The plugin was tested with Windows Server 2008. Please note that there is an updated version of the Federation Services for Windows Server 2008 that have to be downloaded separately: Download them from Microsoft.

Run the installer and follow the wizard to set up the Federation Services, IIS and the needed certificate. For real world use a certificate signed by a well-known Authority is recommended but not needed. A self-signed one will work too.

Your wiki has to be SSL secured as well! ADFS will refuse to work without SSL! A browser accepted certificate is highly recommended.

Once the services are set up, add a new Relying Party Trust in the ADFS snap-in.

For configuration use the following Federation metadata address: https://yourwiki/doku.php?do=adfs where yourwiki is your wiki server's address of course.

Enter any name and description, and select Permit all users to access this relying party.

Finally run the Edit Claim Rules dialog. Add a new “Issuance Transform Rule” and pick “Send LDAP Attributes as Claims”. Add the following:

  • Claim rule name: User Attributes
  • Attribute Store: Active Directory
  • Mapping of LDAP attributes 1):
    • User-Principal-Name → login
    • E-Mail-Addresses → email
    • Token-Groups - unqualified Names → groups
    • Display-Name → fullname

Configure the Plugin

There are two settings to configure in the Configuration Manager:

  • endpoint this is where your ADFS server provides the SAML 2.0 endpoint. It's usually https://<youradfs>/adfs/ls/
  • certificate this is the certificate you set up for the ADFS Server above

You can find the certificate in an XML file that is usually found under ''https://<youradfs>/FederationMetadata/2007-06/FederationMetadata.xml''. Look for <IDPSSODescriptor *><KeyDescriptor use=“signing”><X509Certificate>. It should be a long string of characters. Just paste that into the config. Make sure you use the signing key and not the encryption one.

The attribute names above (login, email, fullname and groups) are the default. In case you idP is not using these names, you can override the defaults by configuring the keys: “userid|fullname|email|groups attr name”.

Once everything is set up you can switch the authtype to adfs.


Clicking the login button will bring up the ADFS login form. Users can login with their Active Directory user name there and will be redirected to the wiki. If setup correctly, the ADFS form will use Single-Sign-On to log users in automatically.

The login will be remembered by the wiki. Unless they log out explicitly subsequent visits will trigger the login process automatically.

Please make sure your users have valid email addresses set in the Active Directory! Otherwise certain DokuWiki features may not work for them.

By default, new accounts are created during the first time login. If you prefer to reject unknown users and want to manually manage the user accounts you can untick the option “autoprovisioning” in the configuration screen.

you have to type the right side, these names are not in the dropdown
plugin/adfs.txt · Last modified: 2016-12-09 13:16 by 2001:a18:1:8::136