How to configure Single-Sign-On between Mosaic and Microsoft AD FS

Last updated: April 28, 2026

In this article you will find the necessary steps to configure a connection between Microsoft AD FS and Mosaic's authentication platform to establish a Single-Sign-On experience for your enterprise users using Mosaic.

If at any time there are questions or issues with the connection, please reach out to support@mosaic.pe for assistance.

 

Microsoft AD FS Configuration

  1. Open the AD FS 2.0 console

  2. Go to Trust Relationships > Relying Party Trusts > Add relying party trusts. This will start a wizard.

  3. Select Enter data about the relying party manually.

  4. Enter a display name for the relying party configuration, such as Mosaic.

  5. On the next screen, do not configure a certificate.

  6. Enable support for the SAML 2.0 single sign-on service URL.

  7. Add urn:amazon:cognito:sp:us-east-1_snwpaAR4h as the relying party trust identifier.

  8. Configure the SAML POST binding. The SAML 2.0 post-binding endpoint is https://auth.mosaic.pe/saml2/idpresponse.

  9. Select Permit all users to access this relying party.

  10. Choose Finish.

  11. Navigate to Trust Relationships > Relying Party Trusts. You should see that urn:amazon:cognito:sp:us-east-1_snwpaAR4h is configured as the relying party.

  12. Select the relying party trust from the Trust Relationships > Relying Party Trusts screen, and then, in the Actions tab on the right side, choose Edit Claim Rules

  13. On the Configure Claim Rule page, enter the following values for each configuration element, and then choose OK.

    1. Claim rule name: Email Address
      Incoming claim type: User-Principal-Name
      Outgoing claim type: E-mail Address
      Outgoing name ID format: Persistent identifier

    2. Claim rule name: Surname
      Attribute Directory: Active Directory
      LDAP Attributes: Surname
      Outgoing Claim Type: Surname

    3. Claim rule name: Given Name
      Attribute Directory: Active Directory
      LDAP Attributes: Given-Name
      Outgoing Claim Type: Given Name

  14. Before leaving the AD FS configuration, download the metadata file for the AD FS. The metadata URL for AD FS looks like the following: https://<servername>/FederationMetadata/2007-06/FederationMetadata.xml

  15. If necessary, restart the AD FS service to apply configuration changes.

  16. Please email support@mosaic.pe with the metadata from Step 14, as well as a list of all possible domains that might be authenticating via your AD FS instance.  For example: yourdomain.com, yourdomain.net, etc.  We will complete the integration and advise when it is ready to test.

 

Related to