Single sign on with ADFS


Pronestor supports single sign-on (SSO) logins through SAML 2.0 via Active Directory Services (ADFS). ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.

Once you have completed this guide, Pronestor has to do their part as described here (this guide is only visible for Pronestor employees)


To use ADFS to log in to your Pronestor instance, you need the following components:

  • That all users are created in Pronestor Planner with the same login as your Active Directory. For example through a user import.
  • An Active Directory instance where all users have an email address attribute and a User Principal name.
  • A Pronestor Planner Cloud solution.
  • A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.
  • A SSL certificate to sign your ADFS login page and the fingerprint for that certificate.

After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article -

When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.


Step 1 - Adding a Relying Party Trust

At this point, you should be ready to set up the ADFS connection with your Pronestor instance. The connection between ADFS and Pronestor is defined using a Relying Party Trust (RPT).

  • Select the Relying Party Trusts folder from AD FS Management
  • Add a new Standard Relying Party Trust from the Actions sidebar.

This starts the configuration wizard for a new trust.

In the Welcome screen choose Claims aware 

In the Select Data Source screen, select the last option, Enter Data About the Relying Party Manually.

On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.

On the next screen, leave the certificate settings at their defaults.


On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be, replacing customername with your Pronestor's subdomain. Note that there's no trailing slash at the end of the URL.

On the next screen, add a Relying party trust identifier of, replacing subdomain with your Pronestor subdomain. 

It's important that you don't use any capital letters.

Note: If you enter, and receive a request failure error, you may need to enter your subdomain as

On the next screen, leave the Access Control Policy as it is.

On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor


Step 2 - Creating claim rules

Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default, the claim rule editor opens once you created the trust. If you want to map additional values beyond authentication, refer to our documentation.

To create a new rule, click on Add Rule.
Create a Send LDAP Attributes as Claims rule.

On the next screen, using Active Directory as your attribute store, do the following:
1. From the LDAP Attributecolumn, select User-Principal-Name.
2. From the Outgoing Claim Type, select Name.


Please send the following information and ask us to enabled ADFS. Remember to have your users in Pronestor first, or you won't be able to log on afterwards.

It is critical that this information is exactly like what you entered into your system. If you typed but send Pronestor it won't work.

Customer values to be send to Pronestor

Section Purpose Value
ServiceProvider Reference to Pronestor site ex.
PartnerIdentityProvider Reference to customer's ADFS endpoint (see below on how to retrieve this information) ex.
SingleSignOnServiceUrl SAML 2.0/W-Federation ex.
SingleLogoutServiceUrl SAML 2.0/W-Federation ex.

How to look up the PartnerIdentityProvider

  • open ADFS management tool
  • Right click Service
  • Click Properties
  • Copy the value in the "Federation Service Identifier" - which is your  PartnerIdentityProvider name

How to find your SingleSignOnServiceUr and SingleLogoutServiceUrl

If you haven't changed your defaults, you can find out what your SingleSignOnServiceUr and SingleLogoutServiceUrl by takings your PartnerIdentityProvider and changing the ending. So if your PartnerIdentityProvider is then your SingleSignOnServiceUr and SingleLogoutServiceUrl will be

If you have change your defaults, then you can find what you changed them to under "Endpoints"


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


  • Avatar

    Troubleshooting tip
    "You were authenticated successfully by your SSO-provider, but the response couldn't be validated by Pronestor. Please contact your system administrator"

    - Make sure the "Relying party identifiers" is set correct (no ending slash - should be etc. "")

    - Ask the customer to look into ADFS and list the exception received

    Edited by R&D
Powered by Zendesk