> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML: ADFS Configuration

> This document provides instructions for creating an application within ADFS for compatibility with BloodHound Enterprise.

export const IDPIntro = ({auth_mode}) => {
  const mode = (auth_mode || '').toUpperCase();
  const isOIDC = mode === 'OIDC';
  const href = isOIDC ? '/manage-bloodhound/auth/oidc' : '/manage-bloodhound/auth/saml';
  const label = isOIDC ? 'OIDC' : 'SAML';
  return <Tip>
      See <a href={href}>{label} in BloodHound</a> for order of operations, general {label} setup, and user configuration in BloodHound.
    </Tip>;
};

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

<IDPIntro auth_mode="SAML" />

## Create an Application

1. In the AD FS management console, right-click on Relaying Party Trust and click “Add Relaying Party Trust”.

<Frame>
  <img src="https://mintcdn.com/specterops/xhId2ad7n1mFRAEQ/assets/image-2-25.png?fit=max&auto=format&n=xhId2ad7n1mFRAEQ&q=85&s=a82a153aed0d0a22748b7d69a4bffebd" width="936" height="478" data-path="assets/image-2-25.png" />
</Frame>

2. Choose “Claims aware” and click “Start”.

<Frame>
  <img src="https://mintcdn.com/specterops/xhId2ad7n1mFRAEQ/assets/image-2-26.png?fit=max&auto=format&n=xhId2ad7n1mFRAEQ&q=85&s=7c6e0079d7bff7de1440274b4a7f531e" width="936" height="762" data-path="assets/image-2-26.png" />
</Frame>

3. Insert the metadata URL based on your chosen name and click “Next.”

<Frame>
  <img src="https://mintcdn.com/specterops/xhId2ad7n1mFRAEQ/assets/image-2-27.png?fit=max&auto=format&n=xhId2ad7n1mFRAEQ&q=85&s=f7beac048d4112f82db95654aa18a7fe" width="936" height="762" data-path="assets/image-2-27.png" />
</Frame>

4. Enter the preferred display name and click “Next.”

<Frame>
  <img src="https://mintcdn.com/specterops/xhId2ad7n1mFRAEQ/assets/image-2-28.png?fit=max&auto=format&n=xhId2ad7n1mFRAEQ&q=85&s=f01be1f95331a1d8b55f3f1ce8817fb8" width="936" height="762" data-path="assets/image-2-28.png" />
</Frame>

5. Choose the desired Access Control Policy. (Note that access and permissions are configured within BloodHound Enterprise).

<Frame>
  <img src="https://mintcdn.com/specterops/xhId2ad7n1mFRAEQ/assets/image-2-29.png?fit=max&auto=format&n=xhId2ad7n1mFRAEQ&q=85&s=d40545f9678e69d3e6084790a0811489" width="936" height="762" data-path="assets/image-2-29.png" />
</Frame>

6. Review the information presented and click “Next”.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-30.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=af47f2b789f86ad1242e17d3884488de" width="936" height="762" data-path="assets/image-2-30.png" />
</Frame>

7. Leave the “Configure claims issuance policy for this application” box checked and click “Close”.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-31.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=77b1e230ca3519fd72ac36976ac59d62" width="936" height="762" data-path="assets/image-2-31.png" />
</Frame>

## Complete SAML Integration Configuration

1. On the “Edit Claim Issuance Policy” dialog box, click “Add Rule…”.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-32.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=5f28c751ff8fd2b36792a72246ae1e0c" width="936" height="1046" data-path="assets/image-2-32.png" />
</Frame>

2. Choose “Send LDAP Attributes as Claims” and click “Next.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-33.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=0448972323cd67e36665438ffa9c1c2b" width="936" height="762" data-path="assets/image-2-33.png" />
</Frame>

3. Fill out the following and click “Finish”.

   LDAP Attribute: E-Mail-Addresses
   Outgoing Claim Type : E-Mail Address

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-34.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=9c4d2f47318f0f76e43bc9a185faade4" width="936" height="762" data-path="assets/image-2-34.png" />
</Frame>

4. Click “Add Rule” to add another claim rule.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-35.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=282a26366668c005105ce152c365ab28" width="936" height="1046" data-path="assets/image-2-35.png" />
</Frame>

5. Choose “Transform and Incoming Claim” and click “Next”.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-36.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=7082a1b42189a03f28acf69305ad7b64" width="936" height="762" data-path="assets/image-2-36.png" />
</Frame>

6. Fill out the following and click “Finish”.

   Incoming claim type: E-Mail Address
   Outgoing claim type: Name ID
   Outgoing name ID format: Email
   Choose “Pass through all claim values”

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-37.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=dd1efe7300ce0642682c900a5638ec50" width="936" height="762" data-path="assets/image-2-37.png" />
</Frame>

7. Click “Apply”.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-38.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=a0e8b048486dda555ac42274d7618f2b" width="936" height="1046" data-path="assets/image-2-38.png" />
</Frame>

8. Download the metadata file provided by your ADFS environment. By default, this is hosted at: [https://YOURDOMAIN/federationmetadata/2007-06/federationmetadata.xml](https://YOURDOMAIN/federationmetadata/2007-06/federationmetadata.xml)
9. Follow the instructions at [SAML in BloodHound Enterprise](/manage-bloodhound/auth/saml) to create the SAML provider in BloodHound Enterprise.