SSO with Active Directory Federation Services (AD FS)

With single sign-on (SSO), users can access their company and other business applications through a single login. Centralized login and authentication have several key advantages, including security benefits.

Active Directory Federation Services (AD FS) is web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network. Users can access some applications (for example: Microsoft Office apps, Salesforce.com, Sage Intacct, etc.) without being prompted to provide sign in credentials again.

Subscription Company
Regional availability

All regions

User type Business
Permissions Full

Set up Trust Relationships

Complete these steps in AD FS.

  1. Sign in to AD FS as an administrator.
  2. Go to Trust Relationships > Relying Party Trusts.
  3. Right-click Relying Party Trusts and select Add Relying Party Trust.
  4. Select Enter data about the relying party manually.
  5. Enter a display name, for example Intacct SSO.
  6. Select Enable support for the SAML 2.0 WebSSO protocol and set Relying party SAML 2.0 Service URL to:
    https://www.intacct.com/ia/acct/sso_response.phtml
  7. Set Replying party trust identifier to: https://saml.intacct.com
  8. Select ‘Add and accept the default values for all remaining options.

Copy the certificate

After copying the certificate from AD FS, you add it to Intacct.

  1. Sign in to AD FS as an administrator.
  2. Go to the AD FS Management Tool and go to Service > Certificate.
  3. Select the primary certificate under Token-decrypting and export the certificate for later use.

Set up Claim Rules

Complete these steps in AD FS. You need to add 3 claim rules to AD FS.

Claim Rule: Get Email

  1. Sign in to AD FS as an administrator.
  2. Go to Trust Relationships > Relying Party Trusts.
  3. Right-click Relying Party Trusts and select Add Claim Rules.
  4. Select Add Rule and set the following:
    • Template: Send LDAP Attributes as Claims
    • Rule name: Get Email
  5. Select Rule Type and verify the following:
    • Claim rule name: Get Email
    • Attribute store: Active Directory
    • Mapping of LDAP attributes to outgoing claim types: E-Mail Address for both options.
  6. Select Finish.

Claim Rule: Transform Email

  1. Select Add Rule and set the following:
    • Template: Transform an Incoming Claim
    • Rule name: Transform Email
  2. Select Rule Type, verify the following, and select Next:
    • Claim rule template: Transform an Incoming Claim
  3. Verify the following:
    • Incoming claim type: E-Mail Address
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Unspecified
    • Select Pass through all claim values.
  4. Select Finish.

Claim Rule: Get Sage Intacct user and Company

  1. Select Add Rule and set the following:
    • Template: Send LDAP Attributes as Claims
    • Rule name: Get Sage Intacct User and Company
  2. Select Rule Type and verify the following:
    • Claim rule name: Get Sage Intacct User and Company
    • Attribute store: Active Directory
    • Mapping of LDAP attributes to outgoing claim types
      Mapping of LDAP attributes to outgoing claim types
      LDAP Attribute Outgoing Claim Type
      CompanyCompany Name
      DepartmentName
    3. You can map any available field from the active directory records as long as those fields contain the Sage Intacct User ID (username) exactly as it is displayed in Intacct and the Company ID.
    For example, in the table above, Department maps to the Intacct User ID field and Company maps to the Intacct Company ID.
  3. Select Finish.

Add the certificate to Sage Intacct

Complete these steps in Intacct.

  1. Sign in to Intacct as an administrator.
  2. Go to Company > Setup > Company.
    The Company Information page opens.
  3. Go to the Security tab and select Edit.
  4. In the Single sign-on section, Enable single sign-on, enter the following details, and select Save.
    • Identity Provider type: SAML 2.0 with ADFS
    • Issuer URL: https://saml.intacct.com
    • Login URL: This URL is where you typically sign in to your provider and select which application you want to launch. For example: https://your.company.com/adfs/ls/ldpInitiatedSignon.aspx
    • Certificate: Enter the certificate that you copied in Copy the certificate.
  5. Select Save.

Test the connection

You can test that SSO is working with the following steps.

In Intacct:

  1. Sign in to Intacct as an administrator.
  2. Go to Company > Admin > User and select Edit next to the name of a user to update.
  3. On the Single Sign-on tab for the selected user, update the Federated SSO User ID with the user's email from AD FS. This field is case-sensitive.
  4. Select Save.

In AD FS:

  1. Sign in to AD FS as an administrator.
  2. Go to Trust Relationships > Relying Party Trusts.
  3. Right-click Relying Party Trusts and select Edit Claim Rules.
  4. Update the Department mapping from Claim Rule: Get Sage Intacct User and Company above to the Sage Intacct User ID of the user that you selected to test the SSO functionality.
  5. Select Finish.