Configure ADFS 2.0 for SSO Integration
search cancel

Configure ADFS 2.0 for SSO Integration


Article ID: 287398


Updated On:


Carbon Black EDR (formerly Cb Response)


How to configure ADFS 2.0 for SSO Integration


  • EDR (formerly CB Response) Server: All Supported Versions
  • Active-Directory: ADFS 2.0


  1. Access the ADFS Management Tool.
  2. Create a new relying party trust:
  • Import data about the relying party from the cb-metadata.xml file generated earlier in the sso setup process (see below):
  • Ensure that the Display Name from cb-metadata.xml matches the “sp”:”name” value from /etc/cb/sso/sso.conf.
  1. Edit the claim rules to create rules for EDR:
  • Ensure that the value in NameID matches the EDR login name. (The EDR server depends on this.)
  • The EDR server uses the transient NameID policy, so be sure that claim rules comply with this policy.


  • a. Right-click on the relying party trust created above and select Edit Claim Rules.
  • b. Add a new rule to use Active Directory SAM-Account-Name as the Common Name.
  • c. Click OK.
  • d. Right-click on the relying party trust again and select Edit Claim Rules.
  • e.  Add a new rule to translate Common Name to the NameID transient format.
  • f.  Click OK.
  1. Above the SAM Account Name and NameID claim rules, add these additional claim rules:
  • a. Add a given_name rule as follows:
  • b. Add a last_name rule as follows:
  • c. Add an email rule as follows:
  • d. Add a role rule as follows. This rule can contain any mapping needed for groups in the Active Directory. Validate that changes are reflected in the file.
  1. Change the default Secure hash algorithm to SHA-1 as follows:

Next, add a special filter in IIS to allow logout requests to go through.

To add an IIS filter for ADFS logout:

  1. Open IIS Manager.
  2. In the left pane, locate the adfs/ls directory:
  1. In the right pane, select Request Filtering:
  1. Select the Query Strings tab:
  1. Select the Allow Query String action:

  1. Add in a new Query string called SAMLRequest.

  1. Select the Edit Feature Settings action:

  1. Change Maximum query string (Bytes) to 4096:
  1. Restart the ADFS/LS IIS web pages to implement these changes.