Setting Up WS-Federation Services With SAML SSO For Plutora


This article covers the setup procedure for WS-Federation Services with SAML. 

Plutora and Plutora Test both support SSO. Logging in or out of Plutora will also log the user in or out of Plutora Test. While logging out, do not close the browser window until the logging out process is complete.


Create an XML metadata file first.

Setting up WS-Federation Services with SAML on Plutora

To set up WS-Federation Services with SAML on Plutora:

  1. Go to Settings > Customization > Site Settings.
  2. Click Login Settings.
  3. Click to select the Enable SSO Login checkbox. Enable SSO Login makes the SSO Login button appear under the Plutora login form.
  4. Click to select the Use SAML Request checkbox.
  5. Click Submit.
    • The yellow Your changes have been saved pop up opens and closes.
    • If you click away from the Customization page without clicking Submit, your changes will not save.
    • Users who log into Plutora for the first time using SSO are granted access that depends on the Requestor User Role. Administrators must update their account to give them the access they need.
    • When making a bookmark to Plutora once SSO is set up, bookmark the direct link to Plutora (for example, rather than the IDP address (for example,

Setting Up Active Directory Federation Service (AD FS)

To set up AD FS so it can be used for Plutora with WS-Federation Services with SAML:

The following instructions assume that Active Directory and AD FS have already been installed on the server that will be your identity provider (IDP).

1a. Create an XML metadata file

First, create an XML metadata file.

1d. Troubleshooting

Mapping Issues

LDAP Attributes are mapped to Active Directory Attributes in the following way.

If you see the following error message in the login page:

  • The email address you’re using is not a valid email address: Check that Active Directory Attribute mail has been set.
  • No surname: Check that Active Directory Attribute sn has been set.
  • No first name: Check that Active Directory Attribute givenName has been set.

User Issues

To check if the given name and surname of the users are present:

  1. Open AD FS on the server that has been set up to be the IDP.
  2. Go to Server Manager > Dashboard > Tools > Active Directory Users and Computers.
  3. Click a user name.
  4. Click the Attribute Editor tab. (If it isn’t selected already.)
  5. Check the following attributes of the user:
    • mail

    • sn

    • givenName
  6. To edit the attributes (if necessary):
    1. Click to select the attribute.
    2. Click Edit.
    3. Edit the attribute in the pop up.
    4. Click OK.
    5. Click Apply.
    6. Click OK.

Server Issues

If your company has more that one Active Directory servers and an AD FS farm, ensure that they are all synced and working.

How does WS-Federation with SAML work?

WS-Federation with SAML has the following authentication steps:

  1. The user goes to the login page of the site.
  2. The site generates a SAML request, then redirects the user to the SSO Login URL.
  3. The SAML request goes to the identity provider, which verifies the user’s identity.
  4. The identity provider sends a SAML request inside a Request Security Token Response (RSTR) to the website.
  5. The website receives the response and logs the user in.

Related Articles


Be the first to find out about new features. Subscribe to the Release Notes email.

Was this article helpful?

Thanks for your answer!