1. Home
  2. Guides
    1. Start
    2. Administer
    3. Analyze
    4. Configure
    5. Deploy
    6. Install
    7. Migrate
    8. Organize
    9. Secure
      1. Incorta Security Guide
      2. Secure Communication and Data
      3. Configure SSO
        1. Enable and Test SSO
        2. Use Incorta Login (Self-Sync)
        3. Azure AD SSO
        4. ADFS SSO
        5. Auth0 SSO
        6. IBM CIS SSO
        7. OAuth 2.0 / OpenID Connect SSO
        8. Okta SSO
        9. OneLogin SSO
        10. Mobile SSO
        11. Configure LDAP
        12. Monitor Logins and Access
      4. Secure Objects and Business Data
    10. Upgrade
    11. Visualize
  3. Concepts
  4. Tools
  5. References
  6. Integrations
  7. Data applications
  8. Release Notes
  9. Incorta Premium

Guides → ADFS SSO Configuration

To enable single sign-on using Microsoft Active Directory Federation Service (ADFS), you must configure ADFS and Incorta.

ADFS accepts secure URLs only, so the URLs of Incorta and any additional tools must use https.

Important: Single Logout (SLO) prerequisites

Starting with the 2025.7.2 release, SAML Single Logout (SLO) is enforced. When using ADFS as the identity provider, you must ensure the following configurations are in place to guarantee proper logout behavior:

  • NameID is present in the login response.
  • All logout messages are signed.
  • ADFS trusts the service provider (SP) signing certificate. Contact the Incorta Support team for the SP signing certificate.

Failure to complete these mandatory configurations will cause the SAML logout process to fail.

Configure ADFS

  • Open the ADFS manager.
  • Right-click ADFS, and then select Add Relying Party Trust.
  • Select Claims aware, and then Start.
  • Select Enter data about the relying party Manually, and then Next.
  • Enter a display name, and then select Next.
  • Browse to an encryption certificate or select Next to continue without an encryption certificate.
  • Select Enable for the SAML 2.0 WebSSO protocol.
  • Enter the Incorta SSO link in the following format and select Next: https://<cluster_URL>/incorta/<tenant-name>/.
  • Add a relying identifier, for example, enter the Incorta URL https://my-cluster.cloud.incorta.com/incorta or https://10.1.1.5:8080/incorta, and then select Next.
  • Select Permit everyone, then Next.
  • Select Next, and then Finish.
  • Select the relying parts in the left panel and the relying party you created and select properties in the right panel.
  • Select the Advanced tab, and then SHA-1 or SHA256 in Secure hash algorithm.
  • Select the Endpoint tab.
  • Select Add.
  • Select SAML logout as the endpoint type, and then enter a URL in the format https://<cluster_URL>/incorta/!<tenant-name>/ in the Trusted URL and the Response URL fields. In releases before 2024.1.5, enter a URL in the format https://<cluster_URL>/incorta/logout.jsp?rediredtUrl=
  • Select Add Claim.
  • Select Send LDAP Attributes as Claim from Claim rule template, and then select Next.
  • Enter a Claim rule name.
  • From LDAP Attributes, select the attribute used as the user’s login identifier in LDAP for authentication, such as the Display name or email.
  • Set the Outgoing Claim Type to loginName (case-sensitive).
  • Select Finish.

Here is an example of the provider configurations to add in the CMC:

onelogin.saml2.strict = false
onelogin.saml2.sp.entityid = https://<cluster_URL>/incorta/!demo/
onelogin.saml2.sp.assertion_consumer_service.url =  http://<cluster_URL>/incorta/!demo/
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.sp.single_logout_service.url = http://<cluster_URL>/incorta/!demo/
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect


onelogin.saml2.idp.entityid = https://sts.windows.net/abc123b-456def-ghi789/
onelogin.saml2.idp.single_sign_on_service.url = https://login.microsoftonline.com/abc123b-456def-ghi789/saml2
onelogin.saml2.security.want_nameid = false
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.idp.single_logout_service.url = https://login.microsoftonline.com/abc123b-456def-ghi789/saml2
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.idp.x509cert = MIIEtDCCBFegAwIBAgIEVF...[rest of the certificate string with no line breaks]...