Configure on-premise Microsoft Active Directory with Active Directory Federation Service and SAML SSO

Configuring single sign-on(SSO) via Active Directory Federation Services (AD FS) for your ClickUp account will allow users to sign in to ClickUp with your self-hosted Microsoft account.

If you're using Microsoft 365 or Azure Active Directory, you'll need to use our Microsoft single sign-on option instead.

What you'll need

  • Only owners and admins can set up SAML SSO.
  • Custom SAML is only available on an Enterprise Plan. To learn about our different plans, click here.

Configure on-premise Microsoft Active Directory with Active Directory Federation Service and SAML SSO

There are five steps to configure SAML SSO for your ClickUp account with on-premise Microsoft Active Directory.

  1. Gather SAML SSO details in ClickUp
  2. Configure Relying Party Trust for AD FS
  3. Add rules to AD FS
  4. Export signing cetificate
  5. Complete the setup process in ClickUp

Step 1: Gather SAML SSO details in ClickUp

The first step is to gather SAML SSO details in ClickUp.

  1. Click your Workspace's avatar and then click Settings.
  2. Select Security & Permissions.
  3. From the Single sign-on (SSO) section, select SAML.
    • Any previous SSO settings in your workspace will be overwritten.
  4. Under Configure SAML Single Sign On you'll see the following items you'lll need to reference in the following steps:
    • SP Certificate
    • Single sign on URL
    • Audience URL (SP Entity ID)
  5. Copy the entire SP Certificate text and paste it into a text editor, like VS code.
  6. Save the file as clickup.cert.

    The security certificate won't work if any of the SP Certificate text is removed.

Step 2: Configure Relying Party Trust for AD FS

After saving your security certificate, you'll create a Relying Party Trust in Windows Server Manager. This will allow ClickUp to connect to your Active Directory deployment

  1. In Windows Server Manager, click Tools, and then select AD FS Management.
  2. In the Actions column on the right, click Add Relying Party Trust. This opens a wizard that guides you through the setup process.
  3. On the Welcome page, choose Claims aware and click Start.
  4. On the Select Data Source step, select Enter data about the relying party manually and click Next.
  5. Add a Display name then click Next. We recommend naming this ClickUp.
  6. On the Configure Certificate step, click the Browse button.
  7. Select the clickup.cert file created in the previous step and click Next.
  8. On the Configure URL step, check Enable support for the SAML 2.0 WebSSO protocol.
  9. Paste the Single sign on URL from the previous step into the Relying party SAML 2.0 service URL  field and click Next.
  10. On the Configure Identifiers step, paste in your Audience URL (SP Entity ID) from the previous step into the Relying party trust identifier field.
  11. Click Add and then click Next.
  12. On the Choose Access Control Policy step, select Permit everyone then click Next. This determines who can authenticate their ClickUp account via SSO.
  13. On the Ready to Add Trust step, click Next and Close the wizard.

Step 3: Add rules to AD FS

Next, you need to add two rules to AD FS in Windows Server Manager. This will ensure the integration sends Lightweight Directory Access Protocol (LDAP) attributes as claims.

  1. From Windows Server Manager, click Tools.
  2. Select AD FS Management.
  3. In the console tree under AD FS, click Relying Party Trusts.
  4. Right-click the Display name created in the previous step and select Edit Claim Issuance Policy.

Add First Rule

  1. From the Edit Claim Issuance Policy dialog box, under the Issuance Transform Rules tab, click Add Rule.
  2. From the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims from the list, and then click Next.
  3. On the Configure Rule page, set the following information and click Finish to complete the process and return to the Edit Claim Issuance Policy dialog box:
    • 1: Claim rule name:  ClickUp LDAP
    • 2: Attribute store: Active Directory
    • 3: In the LDAP Attribute: E-Mail Address
    • 4: E-Mail Address Outgoing Claim Type: E-Mail Address

Add Second Rule

  1. Click Add Rule to add a second Transform rule. 
  2. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim from the list, and then click Next to proceed. 
  3. On the Configure Claim Rule page set the following information and click Finisht o complete the process.
    • 1: Claim rule name: Transform email address as NameID
    • 2: Incoming claim type: E-Mail Address.
    • 3: Outgoing claim Type: NameID
    • 4: Outgoing name ID format: Email
    • 5: Select Pass through all claim values.
  4. From the Edit Claim Issuance Policy dialog box, click Apply to apply both rules.

Step 4: Export signing certificate

Now you’ll need to export your Signing Certificate from Windows Server Manager. This is often called the X509 certificate. This is used to verify your organization via your Identity Provider.

  1. From Windows Server Manager, click Tools and then select AD FS Management.
  2. Expand the Service folder and then select Certificates.
  3. Right-click the Token-signing certificate and select View Certificate

  4. From the Certificate dialog box, click the Details tab.
  5. Click Copy to File
  6.  From Certificate Export Wizard, click Next.
  7. Select Base-64 encoded X.509 (CER) and click Next.
  8. Name your certificate file adfsdomain.cer and click Next.
  9. Click Finish to export the certificate.

    Ensure the certificate is under the Signature tab and not the Encryption tab.

AD FS will export the certificate to your configured downloads folder.

Step 5: Complete the setup process in ClickUp

Now that you have everything set up in AD FS, you’ll need to add your AD FS details to ClickUp. For more information, see Custom SAML Single Sign-On.

  1. Click your Workspace's avatar and then click Settings.
  2. Select Security & Permissions.
  3. From the Single sign-on (SSO) section, select SAML.
  4. Add the following information from AD FS to ClickUp:
    1. IdP Entity ID: This lets ClickUp know which Identity Provider you are using.
    2. IdP SSO Target URL: ClickUp will use this link to connect to the Identity Provider when someone from your Organization attempts to log in via SAML SSO. For AD FS, it should look something like this: https://sso.yourdomain.tld/adfs/ls/
    3. IDP Signing Certificate: This is the certificate downloaded in Step 4.
      1. Open the text editor of your choice.
      2. Use the text editor to open the adfsdomain.cer file previously downloaded in Step 4
      3. Copy the entire text value into our IDP Public Certificate section.
    1.  

Troubleshooting tips

The SAML response is not yet valid error can be caused by an issue synchronizing the ADFS server clock to the SAML Timestamp.

To resolve this you can either:

  • Update the ADFS server clock to the Timezone of your ClickUp Workspace
  • Run this PowerShell command below, which will ignore this check:Set-AdfsRelyingPartyTrust -TargetName Clickup -NotBeforeSkew 5

Was this article helpful?