Microsoft ADFS SSO Integration

Microsoft ADFS (Active Directory Federation Services) SSO allows your users to sign into Learn Amp using their corporate Active Directory credentials. This is ideal for organisations running on-premise Active Directory who want to provide seamless, secure access to Learn Amp.

ADFS integration enables single sign-on for enterprises with existing Windows Server infrastructure, without requiring cloud-based identity management.

Learn Amp authenticates users against your Microsoft ADFS server using SAML 1 or SAML 2.

When a user clicks the SSO login button:

1. They're redirected to your organisation's ADFS login page

2. They enter their Active Directory credentials

3. ADFS verifies their identity and returns a security token

4. Learn Amp validates the token and logs the user in

This integration requires coordination between your IT team and Learn Amp Support to establish a trust relationship between systems.

User accounts: ADFS SSO only authenticates existing user accounts. Users in your Active Directory who don't have Learn Amp accounts with matching email addresses cannot sign in until their account is created.

On-premise requirement: ADFS requires your organisation to maintain on-premise Windows Server infrastructure.

Certificate management: ADFS certificates have expiry dates. You'll need to update Learn Amp when certificates are renewed.

To use ADFS SSO, you'll need:

• Microsoft ADFS configured and running in your environment

• Administrator access to your ADFS server

• Users created in Learn Amp with email addresses matching their Active Directory accounts

Required Stakeholders

ADFS setup requires coordination between your IT team and Learn Amp. Here's the process:

Raise a support ticket to request ADFS SSO enablement. We'll provide you with:

• Federation Metadata XML file (for configuring the Relying Party Trust)

• Your Learn Amp Entity ID: https://YOUR-SUBDOMAIN.learnamp.com

• Reply URL: https://YOUR-SUBDOMAIN.learnamp.com/users/auth/wsfed/callback

Your IT administrator needs to:

1. Open the ADFS Management console

2. Add a new Relying Party Trust using the Federation Metadata XML

3. Configure the following settings:

   • Entity ID: https://YOUR-SUBDOMAIN.learnamp.com

   • Reply URL: https://YOUR-SUBDOMAIN.learnamp.com/users/auth/wsfed/callback

   • Relay State: https://YOUR-SUBDOMAIN.learnamp.com

4. Configure claim rules to pass the required user attributes

Required Claims:

• UserPrincipalName (UPN)

• Email address

• First name

• Last name

Once ADFS is configured, provide Learn Amp Support with:

Once Learn Amp configures the integration:

1. Test with an admin account first

2. Verify successful login and user matching

3. Roll out to all users

Tip: Keep your certificate fingerprint documentation updated. When ADFS certificates are renewed, you'll need to provide the new fingerprint to Learn Amp Support.

Q: Can I use ADFS SSO alongside email/password login?
Yes. By default, both options appear on the login page. Contact Support to disable email/password login if you want ADFS-only authentication.

Q: What SAML version should I use?
SAML 2 is recommended for better security and features. SAML 1 is supported for legacy environments.

Q: What happens when our ADFS certificate expires?
SSO will stop working. Plan certificate renewals in advance and provide the new fingerprint to Learn Amp Support before expiry.

Q: Can Learn Amp auto-create users from ADFS?
No. ADFS SSO only authenticates existing accounts. For automatic user provisioning, consider using Microsoft Entra ID SCIM or another HRIS integration.

Q: Where can I find detailed setup instructions in Learn Amp?
Visit yourdomain.learnamp.com/en/integrations/wsfed for integration-specific guidance within your Learn Amp account.

Last Reviewed: December 2024