Active Directory Federation Services (ADFS) SAML Setup

This guide walks through a basic setup for connecting Kasm to ADFS on Windows Server 2016 via SAML. Active Directory user accounts are assumed to have a populated email address attribute.

ADFS Signing Certificate

  1. From the ADFS Management console, expand Service, and select Certificates.

  2. Right-Click the Token-signing certificate and select View Certificate.


View Cerificate

  1. Select the Details tab, then click Copy to File.


Copy Certificate

  1. In the Certificate Export Wizard, click Next.


Export Certificate

  1. Select Base-64 encoded X.509 (CER) . Click Next.

  2. Select a desired output file and click Next.

  3. Click Finish.

  4. Open the certificate in your preferred text editor. This data will be used in the creation of the Kasm SAML configuration in the next section.


Certificate Contents

Create a new SAML configuration in Kasm

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> SAML -> Add Configuration.

  3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

  4. Edit the auto-generated Entity ID value to remove the query argument in the URL. (e.g https://kasm.server/api/metadata/?id=123 => https://kasm.server/api/metadata/ )

  5. Update the form with the following entries.







Digest Algorithm



Group Member Attribute

Identity Provider: Entity Id

http://<adfs server>/adfs/services/trust

Identity Provider: Single Logout Service:

https://<adfs server>/adfs/ls/?wa=wsignout1.0

Identity Provider: Single Sign On Service

https://<adfs server>/adfs/ls/

Identity Provider: X509 Certificate

Certificate data from the previous section



NameID Attribute


Signature Algorithm

Want Attribute Statement


Want Assertion Signed


Want Name ID



Kasm SAML Configurations

  1. Click Save to save the changes.

  2. Click the Edit icon to re-open to SAML configuration. Leave this page open and continue to the next steps.

ADFS Party Trust

  1. Log into the ADFS Management Console.

  2. Right-Click Relying Party Trusts and select Add Relying Party Trust. The wizard will open.

  3. Select Claims aware then click Start.


Claims Aware

  1. Select Enter data about the relying party manually and click Next.


Relaying Party Manually

  1. Enter a Display Name and select Next e.g (Kasm ADFS).


Display Name

  1. Click Next to accept the defaults for the Configure Certificate step.


Configure Certificate

  1. Select Enable support for the SAML 2.0 WebSSO Protocol. Enter the Single Sign On Server URL from the Service Provider section of the KASM SAML configuration page started in the previous section. Click Next.


Enable SSO

  1. In the Relay party trust identifier, enter the Entity ID from the Service Provider section from the Kasm SAML configuration page started in the previous section. Click Add, then Click Next.


Add Service Provider

  1. Select Permit Everyone, then click Next.


Permit Access

  1. No changes are needed for the Ready to Add Trust section. Click Next.

  2. At the Finish screen, Uncheck Configure claims issuance policy for this application, then click Close.

  3. Right click the new trust (e.g Kasm ADFS) and select Properties.


ADFS Properties

  1. Select the Endpoints tab, then click Add SAML.

  2. Select SAML Logout as the Endpoint type and select POST as the Binding.

  3. Enter https://<adfs.server>/adfs/ls/?wa=wsignout1.0 in the Trusted URL. Click OK, then OK again.


Logout Configuration

ADFS Edit Claim Issuance Policy

  1. From the ADFS management console, select Relying Party Trusts, right click trust previously configured (.e.g Kasm ADFS) and select Edit Claim Issuance Policy.


Edit Issuance Policy

  1. Click Add Rule.


Modify Issuance Policy

  1. In the Claim rule template field, select Send LDAP Attributes as Claims. Click Next.


Select Template

  1. Enter a name in Claim rule name, then select Active Directory in the Attribute store drop down.

  2. Select E-Mail-Addresses as the LDAP Attribute. Select E-Mail-Address as the Outgoing Claim Type.

  3. In another entry, select Is-Member-Of-DL in LDAP Attribute and select Group in the Outgoing Claim Type. Click Finish.


Email Claim

  1. Create another rule to expose the email address as the NameID. Click Add Rule.

  2. Select Transform an Incoming Claim from the Claim rule template dropdown. Click Next.


Claim Rule Template

  1. Enter a name in Claim rule name.

  2. Select E-Mail Address for Incoming claim type.

  3. Select Name ID for Outgoing claim type.

  4. Select Email for Outgoing name ID format and click Finish.


Save Email Claim Rule

  1. Back in the Edit Claim Issuance Policy window, click OK


Edit Issuance Policy

Verifying Access

  1. Navigate to the Kasm UI Login screen. An “ADFS” button is visible representing the SAML config.

  2. Click ADFS


Kasm Login

  1. The user is navigated to the ADFS login portal. Enter the username/password of the desired user.


ADFS Login

  1. The user is redirected and logged into Kasm.

  2. From the Kasm UI select Logout. The user is logged out and redirected to the ADFS logout page.


ADFS Logout

ADFS Group Mapping

In the previous configuration ADFS was configured to pass along the user’s Active Directory group membership in the SAML assertions. Administrators can leverage this to automatically map users to groups defined in Kasm based off their group membership in Active Directory.

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Groups then click Add Group.

  3. Enter a Name and Priority.

  4. Save the new group by clicking Save.


New Group

  1. On the groups screen, using the arrow menu select Edit on the group that was just created.

  2. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  3. Select the SAML IDP that was created above “SAML - ADFS” for the SSO Provider.

  4. Enter the group DN in Group Attributes (e.g CN=MyGroup,OU=MyOrg,DC=kasm,DC=core).

  5. Click Submit.


SAML SSO Group Mapping

  1. Login via SAML as a user that is a member of the group. Notice the users is automatically placed in the Kasm group.