# Setting up authentication with ADFS

The following guide will assist you in configuring your application to use Active Directory Federation Services (ADFS) for authentication.

## Part 1: Configure a new replying party trust in ADFS

1. Open the ADFS console, expand `Trust Relationships`, right-click `Relying Part Trusts` and select `Add relying-party trust`
2. Click `Next` and select `Enter data about the relying party manually`
3. Specify `Lithnet Access Manager` as the display name
4. Select `AD FS profile`
5. Skip the encryption certificate step
6. Check the box to `Enable support for the WS-Federation Passive protocol`. Specify the base URL where your Lithnet Access Manager is hosted (e.g. `https://accessmanager.lithnet.local/`)
7. Skip the page prompting you to add additional relying-party trust identifiers
8. Optionally, configure multifactor authentication for the trust, and follow the remaining pages through to completion
9. Edit the claim rules for the application. Add a new issuance transform rule to `Send LDAP attributes as claims`
10. Set 'Issue UPN' as the claim rule name. Select `Active Directory` as the attribute store, `User-Principal-Name` as the `LDAP Attribute` and `UPN` as the outgoing claim type

## Part 2: Configure Lithnet Access Manager

![!](https://1500666603-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzPrDxVWpXXpSNTpkDVnR%2Fuploads%2Fgit-blob-91b4504c1ccb4ebad778dbea2078308aed13a8cd%2Fui-page-authentication-wsfed-adfs.png?alt=media)

1. Open the Lithnet Access Manager Service Configuration Tool
2. Select the `App configuration\User Authentication` page
3. Select `WS-Federation` as the authentication provider type
4. In the `metadata` field, provide the metadata URL for your ADFS server (usually something like `https://adfs.lithnet.local/FederationMetadata/2007-06/FederationMetadata.xml`)
5. Enter the base URL of your application in the `Realm` field.

## Alternative claim mapping

AMS maps `upn`, `sid` and `onprem_sid` claims automatically if they are found in the response from the IDP.

If you need to use an attribute other than those, you can configure a custom claim mapping using [PowerShell](https://docs.lithnet.io/ams/help-and-support/powershellmodule/add-amsidpclaimmapping)