This document applies to the following versions of Microsoft Active Directory Federation Services (ADFS):
These instructions guide you through configuring Sourcegraph as a relying party (RP) of ADFS, which enables users to authenticate to Sourcegraph using their Active Directory credentials.
externalURL
in critical config to a URL that the ADFS server can reach.auth.providers
that points to your ADFS server's SAML metadata URL (typically containing the path /federationmetadata/2007-06/federationmetadata.xml
).sourcegraph/server
Docker container logs (or the sourcegraph-frontend
pod logs, if Sourcegraph is deployed to a Kubernetes cluster). The most likely error message indicating a problem is Error prefetching SAML service provider metadata.
.The example below demonstrates the properties that you must set. See the SAML auth provider documentation the full set of properties that the SAML auth provider supports.
{ // ... "externalURL": "https://sourcegraph.example.com", "auth.providers": [ { "type": "saml", "identityProviderMetadataURL": "https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml" } ] }
https://sourcegraph.example.com/.auth/saml/metadata
Next, in the "Edit Claim Rules for sourcegraph.example.com" window in the "Issuance Transform Rules" tab, add the 2 following rules.
Send LDAP Attributes as Claims
Send User Info
(any value is OK)Active Directory
E-Mail-Addresses
-> E-Mail Address
Display-Name
-> Name
Transform an Incoming Claim
Email to NameID
E-Mail Address
Name ID
Persistent identifier
Click OK to apply the new claim rules and close the window.
All configuration is now complete. Let's test that it works.
https://sourcegraph.example.com
. (If you are already authenticated from before configuring the SAML auth provider, sign out of Sourcegraph.)alice
credentials and continue.alice
.