- On your ADFS farm, open AD FS Management
- Click on Relying Party Trusts and then Add Relying Party Trust…
- Start the wizard when it appears.
- Choose to enter data manually and click next.
- Provide a name for your Relying Party Trust and click Next.
- Select AD FS profile (SAML 2.0) and click Next.
- Click next to bypass certificate configuration and move to configuring the URL.
- Enable support for SAML 2.0, enter the Assertion Consumer Service URL and click “Next”:
- Enter the Relying Party Trust identifier that includes the organization ID that was received from Scalyr Support (for more information, see this page), click Add, and then click Next. Your identifier URI is as follows:
- Skip multi-factor authentication settings and click Next.
- Permit all users and click Next.
- Click Next and then Finish to complete the wizard while electing to open the claim rules editor on completion.
- You need to add two Claim Rules to the Relying Party Trust for Scalyr. One claim rule is used to provide the email address and Name ID from your Active Directory and another is used to transform the Name ID into SAML 1.1 e-mail address format.
Click Add Rule…
- Choose Send LDAP Attributes as Claims and click "Next"
- Name your Claim Rule, pick Active Directory for the attribute store, and map E-Mail Addresses as an LDAP attribute to outgoing claim types “email” and “AD FS 1.x E-Mail Address.” Click Finish when done.
When entering the attributes and claim types you will type in “email” and use the selector to choose all other values.
- Follow the guidance in the previous step to configure one more Claim Rule that converts the AD FS 1.x E-Mail Address to Name ID, preserving the format. It should look like the below.