> ## Documentation Index > Fetch the complete documentation index at: https://docs.abbyy.com/llms.txt > Use this file to discover all available pages before exploring further. # Active Directory as a SAML 2.0 External Identity Provider > Configure Active Directory Federation Services (AD FS) as a SAML 2.0 External Identity Provider for your ABBYY Vantage tenant. ## Prerequisites * Ensure that you have a Vantage tenant identifier before configuring identities. To get a tenant identifier, click **Configuration** in ABBYY Vantage. The identifier is on the **General** tab. * Create a Redirect URI to receive the authentication responses. The URI is: \ `https:///auth2/Saml2/Acs` ## Setup The setup process consists of the following steps: * [Adding a claim description](#adding-a-claim-description) * [Configuring a relying party trust](#configuring-a-relying-party-trust) * [Adding rules to transform an incoming claim](#adding-rules-to-transform-an-incoming-claim) ### Adding a claim description Open the AD FS management console. Select **Service > Claim Descriptions**, then click **Add Claim Description**. Specify the following: * **Display name** — for example, `Persistent Identifier`. * **Claim type** — `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`. * Select **Publish this claim description in federation metadata as a claim type that this federation service can accept**. * Select **Publish this claim description in federation metadata as a claim type that this federation service can send**. AD FS Add Claim Description dialog with display name and Persistent Identifier claim type fields Click **OK**. Now you can control how user attributes are mapped between different systems. ### Configuring a relying party trust To create an AD FS relying party trust, follow these steps: In the console tree, under **AD FS**, select **Trust Relationships > Relying Party Trusts > Add Relying Party Trust**. On the **Welcome** page, choose **Claims aware** and click **Start**. On the **Select Data Source** page, select **Enter data about the relying party manually**, then click **Next**. On the **Specify Display Name** page, enter any name in **Display Name**, then click **Next**. On the **Choose Profile** page, select the **AD FS 2.0 profile**, then click **Next**. On the **Configure Certificate** page, click **Next**. On the **Configure URL** page, select **Enable support for the SAML 2.0 WebSSO protocol**. Under **Relying party SAML 2.0 SSO service URL**, enter `https:///auth2/Saml2/Acs`, then click **Next**. * Under **Relying party trust identifier**, enter `api://platform.abbyy.cloud/tenantId`, where `tenantId` is the tenant identifier in GUID format **without hyphens** (for example, `117489fc1aea41658369d4d18d6557ga`). This value will be used as the Application ID URI for authentication. Copy this value — you'll need it when configuring the External Identity Provider in Vantage. Click **Add**. * In the **Expose an API** tab, set the Application ID URI to the same value you entered above (for example, `api://cccc3333-dddd-4444-eeee-5555ffff6666`). Click **Add**, then click **Next**. To grant Vantage access to all users, select **Permit all users to access this relying party**. To restrict access to a specific group, select **Permit specific group** and specify the group. Click **Next**. On the **Ready to Add Trust** page, review the settings. Click **Next**, then click **Close**. A trust relationship between an Identity Provider and ABBYY Vantage is established. ### Adding rules to transform an incoming claim To apply rules to transform an incoming claim, follow these steps: Click **Relying Party Trusts**. Right-click the selected trust, then click **Edit Claim Issuance Policy**. In the **Edit Claim Issuance Policy for \** window, click **Add Rule**. AD FS Edit Claim Issuance Policy dialog with Add Rule button for SAML claim rules Select the **Transform an Incoming Claim** claim rule template, then click **Next**. AD FS Add Transform Claim Rule wizard with Transform an Incoming Claim template selected Select the **Configure Claim Rule** step, then specify the following: * **Claim rule name** — `TransformWindows account name`. * **Incoming claim type** — **Windows account name**. * **Outgoing claim type** — **Name ID**. * **Outgoing name ID format** — **Persistent Identifier**. * Select **Pass through all claim values**. AD FS Configure Claim Rule step with Windows account name as incoming claim and Persistent Identifier as outgoing format Click **Finish**. Add another rule to ensure email and name claims are included in the issued token. On the **Select Rule Template** page, select **Send LDAP Attributes as Claims** under **Claim rule template**, then click **Next**. AD FS Add Transform Claim Rule wizard with Send LDAP Attributes as Claims template selected On the **Configure Claim Rule** page, select the **Active Directory** attribute store under **Claim rule name**, then click **Finish**. AD FS Configure Claim Rule with Active Directory attribute store and email and name LDAP attribute mappings The added rules are displayed in the **Edit Claim Rules** dialog. AD FS Edit Claim Rules dialog showing both Persistent Identifier and Send LDAP Attributes as Claims rules ## Next steps Once AD FS is configured, connect it to your Vantage tenant. You'll need the federation metadata document URL in the format `https:///federationmetadata/2007-06/federationmetadata.xml` — for example, `https://adfs.platform.local/federationmetadata/2007-06/federationmetadata.xml`. For the Vantage-side setup, see [Setting up an External Identity Provider for a tenant](/vantage/documentation/tenant-admin/tenant-management/configuring-tenant). ## Related topics Overview of SAML 2.0 setup for AD FS or Azure AD Configure Azure AD instead of on-premises AD FS Connect AD FS to your Vantage tenant Verify the External Identity Provider before users sign in