Configuring AD FS SSO

Prerequisites

• AD FS 3.0 or later
  We require AD FS 3.0 or later. AD FS will need to be configured properly and publicly accessible from the Internet for XVWeb to use it for authentication. See Microsoft's AD FS Overview documentation for more details.
• Microsoft Server Manager
  https://docs.microsoft.com/en-us/windows-server/administration/server-manager/server-manager
• Planet DDS is unable to directly assist with the configuration or maintenance of your AD FS Server, MFA, Entra ID, or Entra Connect environments.
  
  We require that customers provide knowledgeable IT staff to manage these components. While Planet DDS will offer best-effort consultative guidance, it is expected that your internal IT team is familiar with AD FS and Entra ID and is equipped to support both the initial setup and ongoing maintenance of the necessary infrastructure.

Entra ID users

While we do not have direct integration with Entra ID available, Microsoft has provided a method of integrating Entra ID with your AD FS server environment via Entra Connect.  Documentation from Microsoft can be found here:

Microsoft Entra Connect and federation - Microsoft Entra ID | Microsoft Learn

Procedures

1. In Server Manager, add a new relying party trust and choose to enter data manually. See Microsoft documentation for more details.
2. The display name can be anything. We recommend using “XVWeb” so that it will be easier to remember.
3. Leave the certificate configuration blank. This will use the default AD FS certificates.
4. Enable support for the WS-Federation Passive protocol.
   • The URL will be:
     https://identity.xvweb.net/{Site_Name}.{Site_Hostname}/

   • For example, if your XVWeb URL is mydentalpractice.xvweb.net, your URL would be below.

     https://identity.xvweb.net/mydentalpractice.xvweb.net/

5. The WS-Federation Passive URL should already be listed in the relying party identifiers. If it is not, add it.
6. You will also need to add an additional identifier:
   • urn:{Site_Name}.{Site_Hostname}

   • For example, if your XVWeb URL is mydentalpractice.xvweb.net, your identifier would be below.

     urn:mydentalpractice.xvweb.net

     
     
      

7. Continue selecting Next until you have reached claims setup.
8. Add a new rule. Select Send LDAP Attributes as Claims. Set up the rule as follows: 
   
9. Set up claims - these use the “Send Group Membership as a Claim” and set claim type to "Role"
   
   Valid roles (case sensitive) are:
   • XvWebAdmins
   • XVWebEdit
   • XVWebQuery
   • XVWebExport
     • NOTE: In addition to thisClaim type being added, The Export > Email function in XVWeb requires AD users to have an associated email address specified in the Email field within their AD profile in order to function.
   • XVWebCapture
   • XVWebPrint
   • XVWebShare (reserved for future development)

Example:

See XVWeb User Roles and Privileges for details.

If you don't already have an open ticket regarding your switch to AD FS SSO, you can submit a new ticket here. Be sure to include the publicly available URL in your communication.

Article Version 1.1 06/26/2025