All Collections
Teams Free, Basic, Business
Team administration
Single Sign On (SSO)
Configure Single Sign-on (SSO) with ADFS
Configure Single Sign-on (SSO) with ADFS
Joel Bradley avatar
Written by Joel Bradley
Updated over a week ago
PDF VERSION

Tags | Authentication | SSO | ADFS |

Admin privileges required

Applies to: Basic, Business

Enterprise users can access their documentation here. Find your plan.

This article details how to configure Microsoft's ADFS for single sign-on (SSO) with Stack Overflow for Teams. This is not a comprehensive guide to ADFS, but rather a quick overview of the configuration steps.

NOTE: SSO with ADFS uses the SAML 2.0 protocol, which requires ADFS version 2.0 or later. This article details the configuration process with ADFS 4.0 on Windows Server 2016. Previous versions will look different and may require a different process.

Create a Relying Party Trust for Stack Overflow for Teams

NOTE: You'll need Admin privileges for your Stack Overflow Team and ADFS to perform these steps.

Before configuring Stack Overflow for Teams, you must manually set up the Relying Party Trust in ADFS.

  1. On your ADFS server, expand AD FS. Right-click on Relying Party Trusts, then select Add Relying Party Trust.

  2. Select Claims aware and press Start.

  3. Select Enter data about the relying party manually. Click Next.

  4. Enter a Display name (for example: “Stack Overflow Teams”). Click Next.

  5. Click Next on the "Configure Certificate" screen without choosing any certificates.

  6. Check Enable support for the SAML 2.0 WebSSO protocol. Enter the full URL to /auth/saml2/post for your Stack Overflow Team (https://sso.stackoverflow.com/c/[your_team]/auth/saml2/post).

  7. Enter an identifier and click Add. This can be any text (for example: "StackOverflowForTeams"). You'll set this value as the Issuer on your Stack Overflow for Teams "Auth Settings" page.

  8. Choose your desired access control policy. This specifies who ADFS will grant access to.

  9. Click Next until you reach the "Finish" screen.

Configure the Claim Issuance Policy

The next step is to configure the claims that are being sent in the SAML response. Stack Overflow for Teams requires a name ID (or user ID), display name, and email address.

  1. Right-click your new Relying Party Trust and select Edit Claim Issuance Policy.

  2. Select Send LDAP Attributes as Claims.

  3. Configure the following required attributes: Display-Name and E-Mail-Addresses.

  4. Add a second claim rule and select Transform an Incoming Claim.

  5. Choose the desired incoming claim type for the attribute you want to use as Name ID, for example E-Mail Address.

  6. Choose Name ID as the Outgoing claim type.

  7. For the Outgoing name ID format, choose either Persistent Identifier or (if applicable) Email.

  8. Make sure that the new rule is the second one in the list. The rule order matters.

Additional Configuration

  1. On the ADFS management window, right-click on Relying Party for Stack Overflow for Teams and choose Properties. Under the "Advanced" tab, set the Secure hash Algorithm to SHA­-256.

  2. Return to the ADFS management window. Select Services, then Certificates. Double-click on Token Signing Certificate to open the Certificate Export Wizard.

  3. Select Base-64 encoded X.509 and click Next. Copy the resulting X509 certificate to a file and save it. Be sure to include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

Set up Authentication settings on Stack Overflow for Teams

You'll now configure ADFS in Stack Overflow for Teams. Open the "Authentication" admin page (https://stackoverflowteams.com/c/[your_team]/admin/auth-settings) in a separate browser tab or window.

  1. Open the exported X509 certificate in a text editor and copy and paste the certificate into the Certificate field.

  2. Set the Single sign-on Service Url and Audience Restriction values.

  3. Make sure the Issuer is the same as the Identifier set in Microsoft ADFS.

  4. Set the Display Name Assertion and Email Address Assertion to match your Claim Issuance Policy.

Troubleshooting ADFS

ADFS has an application-specific event log that's helpful for troubleshooting. You can also find error details in the Windows Event viewer on the ADFS server. See https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging.

Finally, you can query advanced settings for the Relying Party Trust through PowerShell using the PowerShell command below. Please refer to the Set-AdfsRelyingPartyTrust cmdlet for a full list of settings.

For additional troubleshooting, check that the properties below match your SSO configuration.

  • SignedSamlRequestsRequired enforces the need for AuthnRequests to be signed

  • SignatureAlgorithm configures SHA-256 instead of the default SHA-1

  • SamlResponseSignature sets which part of the XML response are signed

  • SigningCertificateRevocationCheck configures if and how the signing certificate is checked for validity (used when verifying signed AuthnRequests)

  • EncryptionCertificateRevocationCheck configures if and how the encrypting certificate is checked for validity (used when encrypting the SAML Response)

Set-AdfsRelyingPartyTrust -TargetName "e.g.Stack Overflow for Teams" -SignedSamlRequestsRequired $true -SignatureAlgorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" -SamlResponseSignature "MessageAndAssertion"

If you have problems configuring ADFS, reach out to support for help. Certain versions of ADFS may require us to change hidden settings.

Need help? Submit an issue or question through our support portal.

Did this answer your question?