AD FS authentication

AD FS comes in two flavours, the service built into Windows Server and hosted Azure AD. The overall principles are the same, but there are different setup instructions.

Authentication via AD FS is our preferred method of authentication.

Multiple environments

During development and testing of your application. Separate SPs can be configured against each environment if required. Access to the test environment is usually obtained via your Project Room.

The production environment can only be configured towards the end of the development process, once the hostname under the institution’s domain is delegated to the Haplo hosted service and an application is created.

We will ask for SPs to be set up at appropriate times. While it is safe to use production service providers with test environments, you may have separate test servers you wish to use during testing.

Creating an SP

When setting up AD FS, both sides need to include configuration information from the other before it’ll work. We will set up our side first, then ask you to configure your identity provider.

We will provide you with an identifier and a reply URL. These will look like:

(the identifier is also the Federation metadata address)
Reply URL

Please follow the instructions for the flavour of AD FS you are using:

In both cases, you will need to:

  • set up claims, so your IdP will send an identifier for your user. The identifier required is the unique identifier for each person in the user sync, and is most likely the username, but sometimes institutions use an email address.
  • send us the App Federation Metadata Url so we can complete our configuration.

When we’ve set up the first service provider in a test environment, we’ll give you a testing URL so we can test the configuration is providing the right information to our service provider.

Updating IdP certificates and metadata

If you are planning to update your IdP metadata, for example if you change certificates, please contact Haplo support in advance to coordinate updates.


The most likely claims to be used for identifying users are:

  • user.userprincipalname
  • user.mail

Only one claim needs to be provided.